You are browsing a read-only backup copy of Wikitech. The primary site can be found at wikitech.wikimedia.org

HTTPS/2021 Let's Encrypt root expiry

From Wikitech-static
< HTTPS
Revision as of 22:38, 23 September 2021 by imported>Legoktm (Legoktm moved page HTTPS/Letsencrypt-Root-2021 to HTTPS/2021 Let's Encrypt root expiry: more descriptive name)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

What is this?

This is about a special HTTPS compatibility issue facing very outdated clients connecting to certain sites, including ours!

On 2021-09-30 at about 14:00 UTC, a very old Root Certificate which has been included in many older clients will expire and become invalid. For such clients, this certificate was their only mechanism of being compatible with server certificates issued by Let's Encrypt. This is a complex technical issue which has been looming for a long time now. Various ingenious mitigations have been put in place by Let's Encrypt as the date has approached to minimize the impacts to real users. Unfortunately, there will be some unavoidable impacts in some less-common cases!

Foundation projects (including Wikipedia) make use of Let's Encrypt certificates at some of our edge servers, and thus these impacts will affect a very small number of users of our projects, but this issue isn't specific to our projects. Let's Encrypt is securing millions of domains across the Internet, so this expiry impact will be felt quite broadly, and affected clients simply won't work well on the Internet in general after the cutoff date.

For more of the complex technical details underpinning this issue, the best source is Scott Helme's extensive blog post on the topic.

Compatibility Issues

In broad terms - most software which has been updated in the past 5 years should be unaffected, and most hardware devices from the past 10 years should be capable of the necessary software upgrades. Below are the specific cases we're aware of on various platforms which may face new compatibility issues connecting to our sites on Sept 30th:

Android

As far as we're aware, our current level of Android support should remain unchanged at roughly version 4.4 or higher (the cutoff can vary a little due to vendor OS customization and/or alternate browser installation).

iOS

iOS 9 is affected by this expiry, so users will need to upgrade to iOS 10 (or later), which was released ~5 years ago. The iPhone 5 (released ~9 years ago) and all later phones are capable of updating to iOS 10 or later. The primary device affected will be remaining users of the iPhone 4S, which cannot be upgraded beyond iOS 9. All phones older than the 4S were already incompatible with Wikimedia's current TLS configuration.

MacOS

MacOS version 10.11 (El Capitan) is affected by this expiry, so users will need to upgrade to MacOS 10.12.1 (Sierra) or higher, which was released about 5 years ago and supports most Mac hardware from the past ~10 years. All versions of MacOS older than 10.11 were already incompatible with Wikimedia's current TLS configuration.

Windows

No specific new issues, but we should re-iterate than XP and Vista are far out of security support and not recommended, and may face additional compatibility issues (see more details in: HTTPS/Browser_Recommendations).

OpenSSL

On Linux and other open source operating systems which use the OpenSSL library, OpenSSL version 1.0.2 and older may have issues with this certificate expiry. These issues can be mitigated without updating OpenSSL if necessary, and the OpenSSL project has extensive information on this topic. Affected operating systems include Debian 7 Wheezy, Ubuntu 16.04 Xenial, and others of a similar era (initially released ~5+ years ago).

Java

Java 8 is affected by this expiry, which might affect some bots and other automation which accesses or sites. Java vendors could potentially mitigate this in manners similar to the OpenSSL workarounds above, but we're not aware of any specifics. It is recommended to upgrade to Java 9 or later, or look for vendor updates to the root certificate store intended to mitigate this.