A place to cache linked articles (think custom and personal wayback machine)
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

index.md 3.1KB

3 년 전
12345678910111213141516171819202122232425262728293031323334353637
  1. title: DST Root CA X3 Expiration (September 2021)
  2. url: https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/
  3. hash_url: 372cdbf3dc67c7796673bec4aaeb9f0f
  4. <p>On September 30 2021, there will be a small change in how older browsers and devices
  5. trust Let’s Encrypt certificates. If you run a typical website, you won’t notice
  6. a difference - the vast majority of your visitors will still accept your Let’s
  7. Encrypt certificate. If you provide an API or have to support IoT devices, you
  8. might have to pay a little more attention to the change.</p>
  9. <p>Let’s Encrypt has a “<a href="https://letsencrypt.org/docs/glossary/#def-root">root certificate</a>” called <a href="https://letsencrypt.org/certificates/" hreflang="en-US">ISRG Root X1</a>. Modern browsers and
  10. devices trust the Let’s Encrypt certificate installed on your website because
  11. they include ISRG Root X1 in their list of root certificates. To make sure the
  12. certificates we issue are trusted on older devices, we also have a
  13. “cross-signature” from an older root certificate: DST Root CA X3.</p>
  14. <p>When we got started, that older root certificate (DST Root CA X3) helped us get
  15. off the ground and be trusted by almost every device immediately. The newer root
  16. certificate (ISRG Root X1) is now widely trusted too - but some older devices
  17. won’t ever trust it because they don’t get software updates (for example, an
  18. iPhone 4 or an HTC Dream). <a href="https://letsencrypt.org/docs/certificate-compatibility/" hreflang="en-US">Click here for a list of which platforms trust ISRG
  19. Root X1</a>.</p>
  20. <p>DST Root CA X3 will expire on September 30, 2021. That means those older devices
  21. that don’t trust ISRG Root X1 will start getting certificate warnings when
  22. visiting sites that use Let’s Encrypt certificates. There’s one important
  23. exception: older Android devices that don’t trust ISRG Root X1 will continue to
  24. work with Let’s Encrypt, <a href="https://letsencrypt.org/2020/12/21/extending-android-compatibility.html">thanks to a special cross-sign from DST Root CA X3</a>
  25. that extends past that root’s expiration. This exception only works for Android.</p>
  26. <p>What should you do? For most people, nothing at all! We’ve set up our
  27. certificate issuance so your web site will do the right thing in most cases,
  28. favoring broad compatibility. If you provide an API or have to support IoT
  29. devices, you’ll need to make sure of two things: (1) all clients of your API
  30. must trust ISRG Root X1 (not just DST Root CA X3), and (2) if clients of your
  31. API are using OpenSSL, <a href="https://community.letsencrypt.org/t/openssl-client-compatibility-changes-for-let-s-encrypt-certificates/143816">they must use version 1.1.0 or later</a>. In OpenSSL
  32. 1.0.x, a quirk in certificate verification means that even clients that trust
  33. ISRG Root X1 will fail when presented with the Android-compatible certificate
  34. chain we are recommending by default.</p>
  35. <p>If you have any questions about the upcoming expiration,
  36. <a href="https://community.letsencrypt.org/t/help-thread-for-dst-root-ca-x3-expiration-september-2021/149190">please post to this thread on our forum.</a></p>