OT(ish) sites down or worse
Karl Auer
kauer at biplane.com.au
Fri Oct 1 11:35:51 UTC 2021
On Fri, 2021-10-01 at 11:33 +0100, Grizzly via ubuntu-users wrote:
> OK it's 1st of a new month a lot of sites seem to be failing with
> "The certificate is not trusted because the issuer certificate is
> unknown."
Are they LetsEncrypt certificates by any chance?
LetsEncrypt just retired an old CA certificate chain. A certificate
needs to be valid in itself, but it also needs to be verifiable against
an issuer - vouched for by issuer certificates that themselves also
need to be valid.
More than you ever wanted to know:
https://letsencrypt.org/certificates/
https://docs.certifytheweb.com/docs/kb/kb-202109-letsencrypt/
>From the second link:
"From Sept 30th 2021 Let's Encrypts previous root
certificate DST Root CA X3 (and it's R3 intermediate)
will expire. It has been replaced by their ISRG Root X1
certificate (and replacement R3 intermediate)."
This is mostly a server-side issue; you can't do much about sites that
are using a certificate that cannot be trusted. However, making sure
your browser is up-to-date, clearing all caches and/or restarting the
browser may help.
If, when you check the invalid cert, it is a LetsEncrypt cert validated
against X3, you can probably trust the connection a while longer (if
your browser will let you). It will still encrypt the connection.
I just tried askubuntu.com and it is now protected by ISRG Root X1,
which is the new cert. This suggests that either they just fixed it OR
your browser is one of those that need a kick-start.
Regards, K.
--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Karl Auer (kauer at biplane.com.au)
http://www.biplane.com.au/kauer
GPG fingerprint: 61A0 99A9 8823 3A75 871E 5D90 BADB B237 260C 9C58
Old fingerprint: 2561 E9EC D868 E73C 8AF1 49CF EE50 4B1D CCA1 5170
More information about the ubuntu-users
mailing list