It’s worth noting as well that this affects openssl 1.0.1 even if they have the new root cert. So curl on Debian 8, Debian 9, OSX 10.14.6 etc. will report SSL certificate expired. Browsers there will work, but APIs might fail. I wrote about it a little here with a (per-server) workaround: https://silvermou.se/letsencrypt-60-ssl-certificate-problem-certificate-has-...

On 10 Oct 2021, at 16:52, Jay R. Ashworth via Outages wrote:

...

I meant to post this when it happened, and I think I forgot. :-}

The SSL Root cert that underlies Let's Encrypt's root expired on 30-Sept, and the new root that underlies it is not in the Root Certificate Package of some still pretty widely deployed OS versions, including OS/X <10.12.1.

Lots of people are getting their certs from Let's these days, including Wikipedia.

So if you've gotten any reports from the field that people can't access {websites,your websites} it's worth looking into whether this is why.

Tier 2/3 detail: https://scotthelme.co.uk/lets-encrypt-old-root-expiration/

Cheers, -- jra

Replies, as always, to -discuss

-- Jay R. Ashworth Baylink jra@baylink.com Designer The Things I Think RFC 2100 Ashworth & Associates http://www.bcp38.info 2000 Land Rover DII St Petersburg FL USA BCP38: Ask For It By Name! +1 727 647 1274 _______________________________________________ Outages mailing list Outages@outages.org https://puck.nether.net/mailman/listinfo/outages