2.15.1.2.5. Problem with Let's Encrypt certificate on older devices

September 30, 2021 expired DST Root CA X3 certificate expiration date. As a result, outdated devices that have not received updates for a long time and do not support the new ISRG Root X1 root certificate have stopped trusting the old certificate and, when visiting sites using certificates from Let's Encrypt, issue warnings or cannot establish a secure connection.

Obsolete devices and operating systems are older than 5 years, including:

• Windows XP up to SP3 (as well as for SP3 and Windows 7, if the root certificates were not automatically renewed).
• macOS before 10.12.1.
• iOS up to 10.
• Android up to 2.3.6 (at the same time, access to services may still be due to the peculiarities of verifying root certificates, and versions up to 7.1.1 will no longer support the certificate in 2024).
• Ubuntu before 16.04.
• Debian before 8.
• Sony PlayStation 3 and 4 with firmware up to 5.00.
• Older smart TVs and smart home devices.
• Devices using OpenSSL version 1.0.x.

There are several ways to solve the problem. The best solution would be to update the software to the latest versions, which already include support for the new root certificate. It is worth taking measures to solve the problem only if it is necessary, for example, a fairly large part of the service audience uses outdated software and they are critical for the project. Otherwise, it is worth neglecting the current situation.

From the client's side, you can:

1. Manually install the ISRG Root X1 root certificate if it is not present in the storage of the system or software used.
2. Remove obsolete DST Root CA X3 certificate. Having an outdated root certificate can interfere with the normal operation of services that use Let's Encrypt certificates.

Attention! It is not possible to solve the problem in this way on all devices.

In the Windows 7 operating system, the root certificate chain had to be updated if operating system updates are enabled, otherwise the root certificate must be installed on your own by following these steps:

1. Download root certificate ISRG Root X1 with site Let's Encrypt format der.
2. Run the downloaded file and allow it to open by clicking «Open».
3. In the window that appears, click «Install Cerificate»:
4. Select who you want to install the certificate for and click «Further».
5. Select item «Place all certificates in the following store» and press «Browse»:
6. Select storage «Trusted Root Certification Authorities» and press «OK»:
7. Click «Next», check the correctness of the selected data and click «Finish».
8. Check the operation of the services with which access problems occurred.

1. To check if the root certificate is in the trusted list, run the command in the terminal:

   awk -v cmd='openssl x509 -noout -subject' ' /BEGIN/{close(cmd)};{print | cmd}' < /etc/ssl/certs/ca-certificates.crt | grep "ISRG Root X1"

   If the command output contains subject=C = US, O = Internet Security Research Group, CN = ISRG Root X1, then there is no need to take any action, and if not, then proceed to the next step.

2. Run the command in the terminal:

   curl -k https://letsencrypt.org/certs/isrgrootx1.pem.txt | sudo tee /usr/share/ca-certificates/mozilla/ISRG_Root_X1.crt ; sudo echo "mozilla/ISRG_Root_X1.crt" >> /etc/ca-certificates.conf ; sudo update-ca-certificates

3. Check the operation of the services with which access problems occurred.

1. To check if the root certificate is in the trusted list, run the command in the terminal:

   awk -v cmd='openssl x509 -noout -subject' ' /BEGIN/{close(cmd)};{print | cmd}' < /etc/ssl/certs/ca-bundle.crt | grep "ISRG Root X1"

   If the command output contains subject=C = US, O = Internet Security Research Group, CN = ISRG Root X1, then there is no need to take any action, and if not, then proceed to the next step.

2. Run the following commands in the terminal:

   trust dump --filter "pkcs11:id=%c4%a7%b1%a4%7b%2c%71%fa%db%e1%4b%90%75%ff%c4%15%60%85%89%10" | openssl x509 | sudo tee /etc/pki/ca-trust/source/blacklist/DST-Root-CA-X3.pem
   sudo update-ca-trust

3. Check the operation of the services with which access problems occurred.

If the system uses an outdated version of OpenSSL, then you must remove the obsolete one from the trusted root certificates as follows:

• For Debian / Ubuntu edit the file /etc/ca-certificates.conf by setting the symbol ! at the beginning of the line mozilla/DST_Root_CA_X3.crt and run the command:

  update-ca-certificates

The solution to the problem from the server side is possible only by using other certificates.

1. To use a different certificate, you must purchase it from one of the certification authorities or their partner. When choosing a new certificate, it is important to consider what functions it provides and for which areas it is suitable. For example, below are some well-known CAs:
   • Comodo
   • GeoTrust
   • Symantec (DigiCert)
   • Thawte
2. Install received certificate for the site.
3. After installing the certificate, wait for the cached information to update, which usually happens within 15 minutes, and check the site on the problem device.