Helloworld.letsencrypt.org certificate expires this weekend


#1

Right now helloworld.letsencrypt.org uses an older certificate issued from the X1 intermediate. That certificate expires this weekend.

If it’s replaced with a certificate from the DST-signed X3 intermediate it will still work in people’s browsers but is likely to stall the application for inclusion into the Mozilla trust store (and perhaps other trust stores) because it doesn’t chain to the ISRG root and no other example has been cited.

If it’s not replaced obviously it expires, and that too would likely stall the application for inclusion.

The Right Thing™ here is to undertake the ceremony to sign X3 and X4. It sounds like that’s not going to happen, at least any time soon. So the closest alternative is to (manually?) issue for helloworld.letsencrypt.org with the obsoleted X1 intermediate again. That’s unfortunate because manual issuance sort of undermines the point of ACME, but it’s probably the least worst option.

Or am I missing something?


#2

Now the certificate has just expired: https://www.ssllabs.com/ssltest/analyze.html?d=helloworld.letsencrypt.org


#3

Automation is the solution to all our problems :wink:


#4

We’re currently migrating the server for that site to a new host. We’ll have this sorted out soon.


#5

How are you going to sort it out? Will you issue manually using the X1 intermediate? Right now, the helloworld certificate links up to X3, but that’s known not to link back to ISRG, since a key signing ceremony would be needed.

@josh What are your plans regarding that?


#6

They now have a new cert signed by X3, so everything is working again.
But they needed two tries yesterday to get this working. :smiley:


#7

But this leaves the ISRG root store application(s) without a working example (of a site whose certificate chains back to the ISRG root). Or did they create such an example and put it elsewhere?