Let’s Encrypt has changed the way the web works with its free certificates. Believe it or not, the only way to get a publicly trusted certificate before Let’s Encrypt came along was to pay for it. Companies like StartSSL would offer free certificates but that was so they could up-sell and get you to pay for a certificate.
If you are like me and make extensive use of their free certificate feature you need to pay attention. On 30 September one of their root certificates namely DST Root CA X3 will expire. This means that older devices like the iPhone 4 (we know how Zim’s iPhone community loves its older devices) and the HTC Dream will no longer be able to access your websites.
Let’s Encrypt has a “root certificate” called ISRG Root X1. Modern browsers and devices trust the Let’s Encrypt certificate installed on your website because they include ISRG Root X1 in their list of root certificates. To make sure the certificates we issue are trusted on older devices, we also have a “cross-signature” from an older root certificate: DST Root CA X3.
When we got started, that older root certificate (DST Root CA X3) helped us get off the ground and be trusted by almost every device immediately. The newer root certificate (ISRG Root X1) is now widely trusted too – but some older devices won’t ever trust it because they don’t get software updates (for example, an iPhone 4 or an HTC Dream). Click here for a list of which platforms trust ISRG Root X1.
Part of Let’s Encrypt’s post on the issue
What you should do
I am a webmaster myself and am in charge of several blogs. I already have a plugin that warns people who visit the site using old browsers and I am going to add a warning that those who use the affected devices will no longer be able to access my sites after 30 September unless they upgrade. So if you are a normal web admin you might want to follow my lead.
Things get a little tricky if you are a systems administrator who has Let’s Encrypt TLS certificates for other services. This is where you are likely to encounter issues and incompatibilities. Older systems will not be able to validate Let’s Encrypt’s certificates and people who use these older devices will therefore not be able to connect and use your system. Below is a list of devices that will have issues after 30 September.
- Blackberry < v10.3.3
- Android < v2.3.6
- Nintendo 3DS
- Windows XP prior to SP3
- cannot handle SHA-2 signed certificates
- Java 7 < 7u111
- Java 8 < 8u101
- Windows Live Mail (2012 mail client, not webmail)
- cannot handle certificates without a CRL
- PS3 game console
- PS4 game console with firmware < 5.00
If you have people who use such services you might want to make arrangements. You can just buy a compatible certificate from sites like Namecheap or tell your clients to upgrade.