| layout | title | date | excerpt |
|---|---|---|---|
post |
Invalid certificate error |
October 4, 2021 |
A recent update by Let's Encrypt may cause some client issues when accessing sites |
A recent change by certificate provider Let's Encrypt may be causing some issues when client applications attempt to access sites on cloud.gov and Federalist (as well as other sites on the Internet). The issue disproportionately affects users with older operating systems and/or browsers, and fixing the issue is outside of our control.
Let's Encrypt is used to issue certificates for the domains on our platform. The certificates serve a trust chain given to us by Lets Encrypt. Clients can use the first cert in the chain to build a full chain up to "DST Root CA X3", which expired 30 September 2021, or the second cert in the chain to build a full chain up to "ISRG Root X1".
If a client (e.g. the web browser on an older system) has "DST Root CA X3" as a trust anchor but not "ISRG Root X1", they will probably get a certificate validation error because "DST Root CA X3" expired earlier today.
If they have both certs in their trust anchors, it's possible they'll get an error, as "DST Root CA X3" is expired, and the client may give up after constructing a bad chain, but most well-behaved clients will continue checking for a valid chain and find it. However, either client configuration is wholly outside cloud.gov's control and users will need to address this issue manually or get help from their respective IT departments.
Some additional information may be available on the Let's Encrypt community forum.