Ranter
Join devRant
Do all the things like
++ or -- rants, post your own rants, comment on others' rants and build your customized dev avatar
Sign Up
Pipeless API
From the creators of devRant, Pipeless lets you power real-time personalized recommendations and activity feeds using a simple API
Learn More
Comments
-
Aldar12073yI only just found out the jist of the issue...
LE is too new of a CA. But because they wanted to support even older devices, LE's X3 root certificate was, instead of being self-signed, cross signed by another, older, root CA's root certificate - The ISRG Root X1.
This way, even though LE's root wasn't in the root trust store of many of the older devices, it'd be seen as valid, as it was signed by a root cert that was there.
What happens when *that* root cert expires though?
Hell ensues...
We already have... Several clients migrating away from LE because they need to keep supporting old android phones for example.
*Sigh* Why can't Google just push new root trust stores even to old devices as a security update? This way, one of the greatest companies to ever be created will suffer quite a lot... -
Came as a surprise to me, I don't know much about certificates ecept to check when they expire.
Couldn't even have imagined a certificate provider would intentionally break compatibility with anything as recent as 2015 (like ios9) without our Devops alerting everyone -
@jiraTicket They didn't "break compatibility", certs expire by themselves. The responsibility of keeping root CA stores up to date is on the software vendor, in the case of Android that's Google.
-
@lbfalvy Thanks for explaining
I’m very prone to misunderstandings here since I’m uneducated about certificates
Didn’t mean to blame LetsCert. Just wanted to blame ”someone”.
What I’ve heard is Google will push the necessary stuff to some older android devices but Apple will not push it to older ios-devices.
Is that correct?
Related Rants
Maaaan, we all knew it was coming, we were warned, again and again, yet still, when Lets Encrypt's old root CA expired today, we found out a tool we were using to get new certs (Not cerbot, custom wrapper around acme-tiny) included the old root in the chain.
So... A few hours ago, some of our servers started having connection issues.
Great final 3 hours of today. Better luck next time I guess? Still, despite the little hickup, Lets Encrypt still remains as one of the biggest revolutions in the adoption of SSL, they're the good guys.
rant
ssl
lets encrypt
https