Let’s Encrypt Root Expiration – Post-Mortem
Overall, I think the expiration of the Let’s Encrypt CA certificates went really quite well, largely due to the work Let’s Encrypt did around arranging for a new cross-signed chain to be available beyond the expiration of the IdenTrust root. That said, there were far more issues in areas we didn’t anticipate. Modern devices, all the way through to latest versions of iOS and macOS hit issues when connecting to servers that had a misconfigured certificate chain and quite serious issues from huge companies like Google and Microsoft in their cloud products that could no longer validate certificate chains was surprising to say the least. In all, I think this just highlights something that many of us that work in this space have known for some time, that TLS/PKI are complex and fragile systems that often go overlooked for long periods of time because they ‘just work’ most of the time. [….] One thing that’s certain is that this event is coming again. Over the next few years we’re going to see a wide selection of Root Certificates expiring for all of the major CAs and we’re likely to keep experiencing the exact same issues unless something changes in the wider ecosystem.
(tags: postmortem ssl tls pki fail post-mortems lets-encrypt cas)