Website SSL certificate error and resolution process

Moonlight Blog 2021-10-14 02:29:41

9 month 30 Japan , My website encountered a very strange problem , That day I posted a new article on the website , After that, many users gave me feedback , The article cannot be accessed , The certificate error will be prompted when accessing , I feel strange , Is it a website SSL The certificate is not automatically updated ? So I used my computer to visit the website , It is found that there is no exception when visiting the website with a computer browser .

According to the user's screenshot , The user is using the mobile terminal Chrome Browser access , So I used myself iPhone Of Chrome Visited my website , The results of the interview surprised me , After visiting my website, I even prompted “ERR_CERT_DATE_INVALID” error , There is something wrong with the certificate .

At first I wondered if there was a problem with the time of the website server , Log in to the server and have a look , No problem with time , Is the certificate not automatically updated ? My website uses Let's Encrypt Certificate , I set it to update automatically , I checked , The certificate was just 9 month 23 It has been automatically updated once a day , The validity period has not expired ,SSL The certificate must not have expired .

I test myself , stay PC End use Chrome visit Let's Encrypt Your certificate is OK , But with iPhone Of Chrome The interview will be reported SSL Certificate error “ERR_CERT_DATE_INVALID”. What happened when the certificate was updated , What is it for? 23 The daily update has not been abnormal until now , It's the exception today ?

I fell into confusion , My website uses Let's Encrypt Free certificate of , It has been updated automatically for several years , There has been no problem for several years , Today is the first time that such a strange problem has arisen .

Fortunately, I applied for multiple brands for the website earlier SSL certificate , So I installed the website manually first DigiCert Free version SSL certificate , The certificate is valid for one year , Installation and deployment SSL After the certificate is completed , Use the mobile terminal Chrome Browsing the website returned to normal ,PC The client browsing website is also normal . This shows that the root of the problem is Let's Encrypt There is a problem with your certificate .

in consideration of Let's Encrypt The free SSL The major problem with certificates today , Also considering this certificate 3 Replace it once a month , Unpredictable update errors may occur , I decided , The website simply changes DigiCert Free Edition SSL Forget the certificate , The big deal is to manually update once a year SSL certificate .

I checked the relevant news later , This website accident may be related to this news :《Let's Encrypt Root certificate expiration alert Please be there. 9 month 30 Update in time 》, The time is right , Is precisely 9 month 30 Day certificate error . The following is the full text of the news :

Let's Encrypt Root certificate expiration alert Please be there. 9 month 30 Update in time

Security researcher Scott Helme warned : As the world's largest HTTPs One of the certificate providers Let's Encrypt, The legacy root certificate will be deactivated next week (Root CA). This means that millions of websites that rely on it must be in 9 month 30 Update in time , Otherwise, you will face the risk of being unaffected by the computer 、 Equipment or Web The problem of browser trust .

Let's Encrypt Certificate

It is reported that , As a non-profit organization ,Let's Encrypt It is committed to promoting the encryption of data communication between devices and the Internet by issuing certificates , Ensure that information is not intercepted and stolen by third parties .

However Let's Encrypt Currently in use IdentTrust DST Root CA X3 Root certificate , It will expire next week . For most website visitors ,9 month 30 May be a quiet day .

But for older equipment , There may still be some problems -- just as AddTrust External CA Root In this year 5 The root certificate expired and interrupted in June , cause Stripe、Red Hat and Roku It's all affected .

Scott Helme Wrote in a blog post :“ in consideration of Let's Encrypt and AddTrust The volume difference between , I have a hunch IdenTrust When the root certificate expires, history repeats itself , It may even cause more problems ”.

Of course , Potentially vulnerable , Mainly those devices that are not updated regularly -- Such as embedded systems 、 Or smartphones running software versions many years ago .

for instance , function macOS 2016 and Windows XP SP3 Your device users may have trouble after the end of the month . rely on OpenSSL 1.0.2 Or earlier client platforms may also be affected , In addition, there are those that have not been upgraded to the new firmware PlayStation Old game console .

Whereas Android Ecology has long-standing and well-known problems , In order to prevent most smart machines from being affected by this event ,Let's Encrypt It has made a rainy transition to its own... Earlier this year ISRG Root X1 certificate ( The expiry date is 2035 year ).

Although it includes Android 7.1.1(Nougat) And earlier devices don't trust it , but Let's Encrypt It is also possible to cross sign the self issued certificate , Let most Android The equipment can avoid being affected in the next three years .

But if you still want to Android 5.0(Lollipop) Installation on Firefox, It's best to plan for moving to a new platform as soon as possible .

Last , since 2014 Since its establishment in , end 2021 year 9 At the beginning of ,Let's Encrypt A total of more than 20 Million certificates .

 Website SSL Certificate error and resolution process

本文为[Moonlight Blog ]所创,转载请带上原文链接,感谢