Old root certificate of Let's Encrypt TLS certificates for custom domains has expired

Netlify uses a service called Let’s Encrypt to automatically provide the TLS/SSL certificate for your Netlify websites that use custom domains for free. We’re proud to be doing our part to make the web more secure by partnering with Let’s Encrypt.

On September 30, 2021, Let’s Encrypt’s root certificate “DST Root CA X3” has expired. This expiration has caused certain browser clients with older operating systems not to be able to load your website as “DST Root CA X3” has expired and “ISRG Root X1” (the “new” root) is not trusted by these clients.

The example of these clients would be old iOS devices (below iOS 10) or old Android devices (below Andriod 2.3.6). You can find the list of clients that trust “ISRG Root X1” here: https://letsencrypt.org/docs/certificate-compatibility/

:computer: What can I do to support older devices?

If you wish to support older devices too, you would need to purchase a custom SSL certificate that supports older devices. Any certificates issued by Let’s Encrypt will have this issue. You can always upload the custom certificate in your site’s domain settings page. More documentation on custom certificates and Netlify can be found here: HTTPS (SSL) | Netlify Docs

:robot: I’ve heard that some Andriod devices would face this issue in the past?

You are correct, previously it was mentioned that some Android devices (prior to 7.1.1) will be unable to load the websites too (forum post). However, the Let’s Encrypt team worked with IdenTrust to extend this support and the certificate will work with these Android devices until early 2024.

You can read more in https://letsencrypt.org/2020/12/21/extending-android-compatibility.html.

If you have questions or concerns, please let us know in the comments!

7 Likes

This issue is also affecting people on Enterprise security systems like Fortinet. Users on Fortinet (for example) are unable to access our sites on Netlify.

This can be rectified on Netlify’s side by removing the expired DST Root CA X3 certificate from the chain. Can you please remove the expired certificate so users on Fortinet et al can access our sites?

Hey there, @liam1 :wave:

Thanks for bringing this to our attention. Our team is looking into this further, and will follow up on this thread when we have an update for you.

2 Likes

Thank you. I believe a number of services like Fortinet are affected, such as Palo Alto and Cisco Umbrella. Users of those services get a security error when visiting our applications.

I understand the fault isn’t with Netlify, but Fortinet in particular seem to be dropping the ball and blaming everyone but themselves, so it looks like you’re our only hope.

Thank you for looking into this! Electron applications also can’t communicate with Netlify currently, unless they’re built from a version of Electron that was released yesterday. Removing the expired certificate from the chain should fix that for Electron too. That would make my life a lot easier, as for now I’ve had to move some files off of Netlify, which is obviously much less convenient.

Thanks for chiming in here, @NoahAndrews. We will follow up on this thread when we have more information for everyone.

2 Likes

It looks like this issue was resolved but I just wanted to link my prior issue to this.

2 Likes

This topic was automatically closed after 14 days. New replies are no longer allowed.