davidbgk
/
larlet-fr-david-cache
Suivre 1
Ajouter aux favoris 0
Bifurcation 0
Code Versions 0 Activité
A place to cache linked articles (think custom and personal wayback machine)
Vous ne pouvez pas sélectionner plus de 25 sujets Les noms de sujets doivent commencer par une lettre ou un nombre, peuvent contenir des tirets ('-') et peuvent comporter jusqu'à 35 caractères.
147 Révisions
1 Branche
Aborescence: cf1d73f4ca
Branches Tags
${ item.name }
Créer la branche ${ searchTerm }
de 'cf1d73f4ca'
${ noResults }
larlet-fr-david-cache/cache/2021/372cdbf3dc67c7796673bec4aae.../index.md

index.md 3.1KB
Brut Vue normale Historique

More links
il y a 3 ans
 12345678910111213141516171819202122232425262728293031323334353637 
  1. title: DST Root CA X3 Expiration (September 2021)

  2. url: https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/

  3. hash_url: 372cdbf3dc67c7796673bec4aaeb9f0f

  4. 

  5. <p>On September 30 2021, there will be a small change in how older browsers and devices

  6. trust Let’s Encrypt certificates. If you run a typical website, you won’t notice

  7. a difference - the vast majority of your visitors will still accept your Let’s

  8. Encrypt certificate. If you provide an API or have to support IoT devices, you

  9. might have to pay a little more attention to the change.</p>

  10. <p>Let’s Encrypt has a “<a href="https://letsencrypt.org/docs/glossary/#def-root">root certificate</a>” called <a href="https://letsencrypt.org/certificates/" hreflang="en-US">ISRG Root X1</a>. Modern browsers and

  11. devices trust the Let’s Encrypt certificate installed on your website because

  12. they include ISRG Root X1 in their list of root certificates. To make sure the

  13. certificates we issue are trusted on older devices, we also have a

  14. “cross-signature” from an older root certificate: DST Root CA X3.</p>

  15. <p>When we got started, that older root certificate (DST Root CA X3) helped us get

  16. off the ground and be trusted by almost every device immediately. The newer root

  17. certificate (ISRG Root X1) is now widely trusted too - but some older devices

  18. won’t ever trust it because they don’t get software updates (for example, an

  19. iPhone 4 or an HTC Dream). <a href="https://letsencrypt.org/docs/certificate-compatibility/" hreflang="en-US">Click here for a list of which platforms trust ISRG

  20. Root X1</a>.</p>

  21. <p>DST Root CA X3 will expire on September 30, 2021. That means those older devices

  22. that don’t trust ISRG Root X1 will start getting certificate warnings when

  23. visiting sites that use Let’s Encrypt certificates. There’s one important

  24. exception: older Android devices that don’t trust ISRG Root X1 will continue to

  25. work with Let’s Encrypt, <a href="https://letsencrypt.org/2020/12/21/extending-android-compatibility.html">thanks to a special cross-sign from DST Root CA X3</a>

  26. that extends past that root’s expiration. This exception only works for Android.</p>

  27. <p>What should you do? For most people, nothing at all! We’ve set up our

  28. certificate issuance so your web site will do the right thing in most cases,

  29. favoring broad compatibility. If you provide an API or have to support IoT

  30. devices, you’ll need to make sure of two things: (1) all clients of your API

  31. must trust ISRG Root X1 (not just DST Root CA X3), and (2) if clients of your

  32. API are using OpenSSL, <a href="https://community.letsencrypt.org/t/openssl-client-compatibility-changes-for-let-s-encrypt-certificates/143816">they must use version 1.1.0 or later</a>. In OpenSSL

  33. 1.0.x, a quirk in certificate verification means that even clients that trust

  34. ISRG Root X1 will fail when presented with the Android-compatible certificate

  35. chain we are recommending by default.</p>

  36. <p>If you have any questions about the upcoming expiration,

  37. <a href="https://community.letsencrypt.org/t/help-thread-for-dst-root-ca-x3-expiration-september-2021/149190">please post to this thread on our forum.</a></p>