When you are surfing online, or checking your email, in 2021 most of these connections to either of these are done with a small data file that digitally binds a cryptographic key to the organization’s details by using a SSL (Secure Sockets Layer) to establish a secure connection. In plain language, this connection establishes an encrypted connection between the web browser and a web server. With this secure connection over https as opposed to http, this provides you a level of trust when you are potentially sending sensitive information like credit cards, usernames, passwords, emails, etc.
In the last five (5) years a not-for-profit organization called Let’s Encrypt has become the standard in issuing such SSL certificates with approximately 158 million sites using Let’s Encrypt of the 243 million active websites using an SSL, representing an astonishing 65% of the global market.
We at FullHost have been huge advocates for Let’s Encrypt as it has significantly increased the adoption rate of sites using SSLs and with their automated renewal process no longer requires you (or us) to reinstall SSL certificates. We are seeing adoption rates significantly higher than the 65% global rate.
Today, September 30, 2021, as was communicated by Let’s Encrypt back in May of this year is that there was a change to how older browsers and devices trust these certificates. The IdentTrust DST Root CA X3, the root certificate, was set to expire today. For the vast majority of us, the transition from this root certificate to its own ISRG Root X1 certificate which is valid until 2035, this will be a seamless process and one in which you will not even notice.
As we are seeing today, a number of our clients and their respective customers are experience issues due to the IdentTrust DST Root CA X3 expiry. The reason for this is that while modern browsers and devices recognize the new certificate, older browsers and devices, because they are either not updated or not getting software updates to be compatible with the newer technology, are causing warning and connection issues. This is similar to what happened in May of 2020, when the AddTrust External CA Root expired leaving organizations like Roku, Stripe, Spreedly with issues as a result.
What is FullHost Doing?
While we have, and continue to strongly support Let’s Encrypt and what they do, to ensure that we are able to support you even if you or your customers are using older technology, is that we are implementing a change from Let’s Encrypt SSL certificates to Sectigo certificates server side that will continue to support affected older devices by this certificate change with Let’s Encrypt. As of 17:00 PST today, we have switched over approximately 50% of of the domains on our network from Let’s Encrypt to Sectigo/Comodo. We will be continuing this process and expect all domains will be done within 24 hours. We are being slightly hampered with that as Sectico is experiencing timeouts as they are overwhelmed by the number of requests from around the world.
If you are facing issues on an unsupported email client, please change the email host name to the server host name which is already on a Sectigo certificate, and can as well connect through webmail (domain.com/webmail) to bypass this.
Affected Devices
- Blackberry less than 10.3.3
- macOS prior to 2016
- iOS less than version 10
- Windows XP (with Service Pack 3)
- PlayStation 3 or 4 with firmware less than 5.00
- Android 7.1.1 and earlier (of which some certificates have already expired)
- Nintendo 3DS
- Kindle less than 3.4.1
- Amazon FireOS with Skill Browser