You are browsing a read-only backup copy of Wikitech. The primary site can be found at wikitech.wikimedia.org
HTTPS/2021 Let's Encrypt root expiry
What is this?
This is about a special HTTPS compatibility issue facing very outdated clients connecting to certain sites, including ours!
On 2021-09-30 at about 14:00 UTC, a very old Root Certificate which has been included in many older clients will expire and become invalid. For such clients, this certificate was their only mechanism of being compatible with server certificates issued by Let's Encrypt. This is a complex technical issue which has been looming for a long time now. Various ingenious mitigations have been put in place by Let's Encrypt as the date has approached to minimize the impacts to real users. Unfortunately, there will be some unavoidable impacts in some less-common cases!
Foundation projects (including Wikipedia) make use of Let's Encrypt certificates at some of our edge servers, and thus these impacts will affect a very small number of users of our projects, but this issue isn't specific to our projects. Let's Encrypt is securing millions of domains across the Internet, so this expiry impact will be felt quite broadly, and affected clients simply won't work well on the Internet in general after the cutoff date.
For more of the complex technical details underpinning this issue, the best source is Scott Helme's extensive blog post on the topic.
In broad terms - most software which has been updated in the past 5 years should be unaffected, and most hardware devices from the past 10 years should be capable of the necessary software upgrades. Below are the specific cases we're aware of on various platforms which may face new compatibility issues connecting to our sites on Sept 30th:
As far as we're aware, our current level of Android support should remain unchanged at roughly version 4.4 or higher (the cutoff can vary a little due to vendor OS customization and/or alternate browser installation).
iOS 9 is affected by this expiry, so users will need to upgrade to iOS 10 (or later), which was released ~5 years ago. The iPhone 5 (released ~9 years ago) and all later phones are capable of updating to iOS 10 or later. The primary device affected will be remaining users of the iPhone 4S, which cannot be upgraded beyond iOS 9. All phones older than the 4S were already incompatible with Wikimedia's current TLS configuration.
MacOS version 10.11 (El Capitan) is affected by this expiry, so users will need to upgrade to MacOS 10.12.1 (Sierra) or higher, which was released about 5 years ago and supports most Mac hardware from the past ~10 years. All versions of MacOS older than 10.11 were already incompatible with Wikimedia's current TLS configuration.
No specific new issues, but we should re-iterate than XP and Vista are far out of security support and not recommended, and may face additional compatibility issues (see more details in: HTTPS/Browser_Recommendations).
On Linux and other open source operating systems which use the OpenSSL library, OpenSSL version 1.0.2 and older may have issues with this certificate expiry. These issues can be mitigated without updating OpenSSL if necessary, and the OpenSSL project has extensive information on this topic. Affected operating systems include Debian 7 Wheezy, Ubuntu 16.04 Xenial, and others of a similar era (initially released ~5+ years ago).
Java 8 is affected by this expiry, which might affect some bots and other automation which accesses or sites. Java vendors could potentially mitigate this in manners similar to the OpenSSL workarounds above, but we're not aware of any specifics. It is recommended to upgrade to Java 9 or later, or look for vendor updates to the root certificate store intended to mitigate this.