Lets Encrypt Authority X1 expired


#1

Is it just me or has the X1 cert expired. Was installing it into my JDK, and got an expiry error. Then checked https://helloworld.letsencryt.org and that has the same problem.


#2

Apparently X1 is no longer trusted:


#3

Because ISRG Root X1 is no longer trusted:


#4

X1 isn’t used anymore. Boulder currently uses X3. Therefore, the expiration of X1 doesn’t matter. Any cert signed by X1 has expired itself anyway.

Furthermore, the ISRG Root X1 isn’t trusted anywhere, except for Mozilla products in the future (because it’s application for including the root has just concluded). Therefore, it’s not “ISRG Root X1 is no longer trusted”, but should be “ISRG Root X1 is not trusted yet:wink:


#5

helloworld.letsencrypt.org uses a certificate that leads up to the ISRG root certificate because it’s the domain that was used as a sample for the Mozilla root inclusion request. It’s a special case and should no longer be considered the sample domain for Let’s Encrypt. Basically, just forget it ever existed. :smile:

The intermediate certificate was changed a couple of months ago to fix a Windows XP compatibility issue. The currently active intermediate certificate is called “Let’s Encrypt Authority X3”, with the backup being “Let’s Encrypt Authority X4”. You can find both on this page.

The ISRG root certificate is not currently (and has never been) trusted by any browser. That’s not a problem, however, as the intermediate certificate is cross-signed by IdenTrust, which is trusted by all major browsers.

As for manually importing the root certificate, I’d probably go with the IdenTrust root (also confusingly called “X3”, but different from the “Let’s Encrypt Authority X3” intermediate certificate).


#6

We temporarily restored an expired leaf certificate for helloworld.letsencrypt.org to meet an operational testing requirement. This was deliberate and we know its expired :slight_smile:

As pointed out by @osiris and @pfg we don’t issue day-to-day certificates from a chain descending from the X1 root.


#7

Thanks everyone for the clarifications. As always,… love your work!

Cheers
Craig


#8

Ok, but in the meantime it’s not exactly good PR… I brought up Let’s Encrypt on an internal mailing list at $dayjob (we’re signed up with InCommon and Comodo) and someone promptly posted a screenshot of the Firefox error message.


#9

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.