All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
PSA 30.09.2021: Facing strange SSL / ACME / Letsencrypt problems today? Read this!
Because the problems seem more widespread than expected, and surprisingly many places don't yet talk about this, I thought I'd post a quick heads up here.
TLDR: Letsencrypt switched to a different CA a while ago. The old CAs root certificate expired today. Chances are, that whatever code autorenews your Letsencrypt cert, has still used the old CA till today. So your shiny new cert thats valid for another 60 days and looks perfectly fine, is actually worth jackshit now. You need to remove the old CA, and renew the cert again. It should be based on the new CA now.
Of course there's more to it, and your specific problem might be a bit more complicated.
https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/
You can see some fallout in the opnsense forums for example:
https://forum.opnsense.org/index.php?topic=24950.0 and others
Check your torrent client! Some of your most favorite sources for linux ISOs are unconnectable as we speak. EDIT: Or maybe my seedbox is just not able to handle this properly. No one else seems to be affected. No threads in the trackers forums or announcements.
Comments
We handled the same issue at work today.
The blog post at https://www.openssl.org/blog/blog/2021/09/13/LetsEncryptRootCertExpire/ explains the issue and gives more options to solve it besides upgrading to a newer OpenSSL version.
This is flat out wrong. No server-side change is required with regard to that CA cert expiring.
This is wrong or a misconfiguration on your end. There should be nothing involved - this should only impact OUTDATED and BROKEN clients.
Well, I'll take your word for it. I'm not deep into this. And any correction is of course welcome! But our OPNsense with HAproxy plugin was spitting out SSL errors today and broke things. What I wrote above was exactly the problem and solution in this case. So I guess that counts as broken or outdated. Of course it shouldn't happen, but I'm not the only one affected. Just read the links.
https://google.com/search?q=letsencrypt+root+ca+30.09.2021
Well, i can tell you that i have been quite busy fixing systems that got affected by this. So it looks like it caught quite a a few people unaware and exposed sub-optimal implementations and configurations.
The end is nigh!
Change to another CA?
I'm using ACME.sh, so it's just few second to switch.
I want to put this as an auto reply to support tickets this week.
well, no client will build alternative path and fail if you give wrong intermediate (R3 signed by DST root x3, which was saparately expired
If you're running a DNS over TLS server and using Let's Encrypt, it will break on Android. I tried adding the CA manually, no cigar. On android, Private DNS using Let's Encrypt will not work.
It is worked now.. check this thread: https://talk.lowendspirit.com/discussion/3402/adguard-home-dns-over-tls-issue#latest
Yes, it will work if you regenerate the certificate and force the preferred chain to X1. Just switched mine to Sectigo since geocerts offered 1 year free wildcard cert, working well now.
Well not entirely correct as a Web server is in fact both a server as well as a client itself - wget, curl, openssl etc.
Heads up on this expiry was months ago but still unforeseen impacts have occurred. For my Centmin Mod users fixes including how to switch from Letsencrypt to ZeroSSL based certificates https://blog.centminmod.com/2021/10/02/2425/centmin-mod-managing-letsencrypt-dst-root-ca-x3-certificate-expiration-on-centos-7/
Biggest unexpected problem I have been dealing with has not been the change of root persay but the inclusion of the alternative trust path in the certificate chain.
October 2019 era GnuTLS fails to verify that.... OpenSSL had a similar issue (but is more widely kept up to date).
It seems like it does impact certain php installations, if you are using curl, you may be impacted.
Despite curl on the os working fine.
@Neoon probably php linked against old curl, old openssl or old gnutls statically.
When I say old, at-least for GnuTLS versions shipped with common distributions... not that old (anything before 3.6.14 is broken)