Skip to main content

An old Let’s Encrypt root certificate expired: What does this mean for your website?

On September 30, one of Let’s Encrypt’s root certificates expired. This was a planned obsolescence, only affecting devices with old, unsupported operating systems. It has likely affected millions of people, causing difficulty connecting to the millions of websites supported by this certificate.

Let’s break this down a little so we can understand exactly what is happening.

Let’s Encrypt is a provider of SSL certificates. These are the certificates that a website has to help them to show up as “Secure” in an internet browser. It’s the difference between HTTP (no SSL) and HTTPS (SSL). So when you land on a website that has an SSL certificate, you’ll see the little lock icon or “Secure” in the browser next to the URL.

SSL Certificate Screenshot

When a website doesn’t have an SSL certificate, your web browser will let you know that the site is not secure, either with a “Not Secure” next to the URL or oftentimes with a screening page where you have to click to proceed to the non-secure website.

A root SSL certificate is a certificate issued by a trusted certificate authority (CA), and forms the basis for the “chain of trust” which tells browsers and devices if they can trust your website. Let’s Encrypt previously operated with two different root certificates:

ISRG Root X1 - This root certificate tells modern browsers and devices to trust the websites that it is on. However, many older devices, browsers, and operating systems don’t have the capability to support this certificate, so Let’s Encrypt had another one to help with this.

DST Root CA X3 - This is the root certificate that expired. It was previously in place to help older devices and browsers to trust the websites that it was on.

So now, any website that had this expired root certificate is showing as “not secure” to people that visit said website on an older device that doesn’t support the more modern root certificate.

What does that mean for website visitors and smart device users?

If you find that more websites than usual are showing up as “not secure” on your device or browser, you may want to check to see which version of your browser or operating system you are currently using.

So far, it appears that the following operating systems and browsers have been affected:

  • Android 7.1.1 and previous versions
  • iOS 10 and previous versions
  • Older versions of macOS 2016
  • Older versions of Windows XP
  • Older smart TVs
  • Nintendo 3DS
  • Playstation 3 and Playstation 4
  • Many other devices from 2016 and before

This is not an exhaustive list of all devices/browsers that have been or will be affected.

If you operate on any of the aforementioned systems, your website browsing could be affected by the expiration of the root certificate DST Root CA X3.

For a quick fix on any applicable devices, you can install Mozilla Firefox. Firefox maintains its own list of root certificates that get updates as the browser is updated, so old operating systems do not affect Firefox like they do the other major browsers.

Another option is to update your operating system to the latest version so your device is supported by the modern root certificate that many websites already have.

If neither of these options is applicable to your device and you are still having trouble accessing websites or apps, then it may be time to upgrade to a newer device.

What does this mean for website owners?

If you are a website owner and have noticed that your website shows up as not secure or that customers are having trouble accessing your website, don’t fret - we have options for you too.

Assuming you have a current SSL certificate, your website is still secure and on modern devices and operating systems will work just fine. It’s your customers, and maybe even your office or staff, that have older systems that will be impacted by this.

For a quick fix, try having anyone in your office or on your staff install Mozilla Firefox on their device and use that for navigating your website.

Another option if you want to ensure your website is not affected by this is to install a different SSL certificate on your website. We recommend talking to your website developer or IT team about this option.

We will help any of our existing customers who are interested in doing this. We can get an alternative SSL certificate issued and installed for $55 per year. Just give our office a call to get this taken care of today!