Expired Let’s Encrypt certificate failure affects millions of users
The expiration of Let’s Encrypt’s outdated digital root security certificate DST Root CA X3 caused failures and errors for several million users. An unknown number of services, websites and apps were not provided with a new certificate in time.
Many tech companies experienced outages on September 30 because Let’s Encrypt’s IdentTrust DST Root CA X3 certificate expired. After pre-announced expirations of the certificate, various services, browsers, games, websites and apps were estimated to be temporarily inaccessible to millions of users or no longer functioning properly or securely. In the worst case, devices could not even connect to the internet anymore.
The exact extent of the incident is unknown. Older devices such as the PlayStation 4 and Android 7.1.1 smartphones would be particularly affected by connection problems, especially if the associated operating system or firmware had not been updated for a while. Security expert Scott Helme warned about the problems a week ago. He tells ZDnet that he indeed saw several services with malfunctions on Friday. He does not specify an exact size. Shopify and Heroku, among others, describe on their status pages that they have recently resolved certificate-related outages. Helme also mentions Bluecoat, Cisco Umbrella, Catchpoint, Guardian Firewall, Monday.com, PFsense, Google Cloud Monitoring, Azure Application Gateway, OVH, Auth0, Shopify, Xero, QuickBooks, Fortinet, Heroku, Rocket League, InstaPage, and Ledger.
Hundreds of millions of websites worldwide use certificates issued by Let’s Encrypt for a secure https connection. Typically, companies prepare well in advance of the expiration of critical digital certificates for such a time. Because intermediate and root certificates expired in a short time, many servers, browsers and operating systems were not updated in time, Let’s Encrypt CEO Josh Aas explains to TechRadar.
The non-profit organization Let’s Encrypt is the world’s largest certificate authority and has issued more than 2 billion digital certificates in recent years. The DST Root CA X3 certificate was issued in collaboration with IdentTrust and ensures an encrypted connection. Meanwhile, all previously DST Root CA X3 services must have migrated to IdenTrust Commercial Root CA 1 in order to continue to function without any issues.