Sept 30th, Let's Encrypt root cert switch
Hal Murray
hmurray at megapathdsl.net
Sat May 15 05:26:25 UTC 2021
https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/
What should you do? For most people, nothing at all! We've set up our
certificate issuance so your web site will do the right thing in most cases,
favoring broad compatibility. If you provide an API or have to support IoT
devices, you'll need to make sure of two things: (1) all clients of your API
must trust ISRG Root X1 (not just DST Root CA X3), and (2) if clients of your
API are using OpenSSL, they must use version 1.1.0 or later. In OpenSSL 1.0.x,
a quirk in certificate verification means that even clients that trust ISRG
Root X1 will fail when presented with the Android-compatible certificate chain
we are recommending by default.
---------
Part (2) is not a problem for us since 1.1.1 is needed for TLS 1.3 which NTS
requires.
--
These are my opinions. I hate spam.
More information about the devel
mailing list