Recently, the Let's Encrypt root certificate has expired.
This is one of the first major digital certificates to expire since the
advent of the internet. Therefore, there is no precedent for how to
solve the problem besides updating the software on devices.
In normal circumstances this event, a root CA expiring, wouldn't even be
worth talking about because the transition from an old root certificate
to a new root certificate is completely transparent. The reason we're
having a problem at all is because clients don't get updated regularly
and if the client doesn't get updated, then the new root CA that
replaces the old, expiring root CA is not downloaded onto the device.
One of the notable clients that will still be affected by this
expiration is anything depending on the OpenSSL 1.0.2 or earlier
library, release 22nd January 2015 and last update as OpenSSL 1.0.2u on
20th December 2019.
These are some of clients that will have issues
| OpenSSL
1.0.2
Windows
XP SP3
macOS
10.12.1
iOS
10 (iPhone 5 is the lowest model that can get to iOS 10)
Android
7.1.1 (but >= 2.3.6 will work if served ISRG Root X1 cross-sign)
Mozilla Firefox
50 |
Ubuntu
16.04
Debian
8
Java 8
8u141
Java 7
7u151
NSS
3.26
Amazon FireOS
(Silk Browser) |
