Sunday 3 October 2021

Expired SSL Certificates

Disclaimer: The SailEvent team knows precious little about Secure Socket Layers, encryption, Certificate Authorities and all that good stuff. To us SSL certificates are just gizmos that work to make the web a better place.

Except occasionally they don’t work as some SailEvent users have recently discovered. When they go to SailEvent, their browser tells them that the site is insecure because its SSL certificate has expired.

But it’s not actually SailEvent’s certificate that has expired. That’s valid until 31/12/2021 when it will automatically renew. The certificate that expired on 30th September is the one at the top of a chain and the one that says “all the certificates below me in the chain can be trusted”.

SailEvent’s certificate is issued by Let’s Encrypt. Let’s Encrypt is a non-profit certificate authority and the world’s largest, providing certificates to over 265 million websites so we are in good company. In fact there are reports that users of the likes of Slack, Shopify and Fortinet among others have hit the same problem.

Of course Let’s Encrypt knew this certificate was going to expire so provided a new one that will be good for many years. Trouble is, instructions as to which chain to follow to reach the top-level certificate are hardcoded into software on people’s phones, tablets and computers. Updated instructions have been distributed for quite a while but people running on older software will still be following the old chain leading to the certificate which expired on Thursday.

At least that’s our understanding. There are more erudite explanations here:

https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/

https://scotthelme.co.uk/lets-encrypt-old-root-expiration/

So what to do? Unfortunately there are no practical steps, no setup changes, no software updates, that we can make. But we can offer this advice to anyone who is affected by this issue:

Make sure you are running the most up to date version of the operating system and web browser that you can on your device. That’s always sound advice.

If that doesn’t fix it, try a different browser. There’s a suggestion that Firefox is a good one.

If all else fails you can still go to SailEvent by ignoring the warning but be aware that your connection will not be encrypted.

Please accept our apologies if you have been troubled by this unfortunate circumstance but do understand that it is not of our making. It may be that the situation will improve over time; if we hear anything we’ll let you know.


No comments:

Post a Comment