Let's Encrypt DST Root CA X3 Expiration

Ryan Schmidt ryandesign at macports.org
Sat Oct 2 09:14:05 UTC 2021

macports.org and other secure web sites that use Let's Encrypt may no longer be accessible to you if you use older versions of macOS or older browsers or user agents. For example, the libcurl in macOS 10.14 can't talk to many Let's Encrypt web sites now, including distfiles.macports.org and packages.macports.org, and MacPorts uses macOS libcurl to download things. Safari and many browsers don't use libcurl so they may be affected differently.

Let's Encrypt is a free certificate provider used by macports.org and many other web sites to provide https encryption. Certificates they issue depend on their "ISRG Root X1" certificate which was cross-signed by the "DST Root CA X3" certificate, because DST Root CA X3 was more widely accepted by browsers when Let's Encrypt got started years ago. Both of these root certificates are included in the certificate chain served by web sites that use Let's Encrypt.

ISRG Root X1 itself has been trusted by browsers for some time now and DST Root CA X3 expired a couple days ago on September 30, 2021. Apparently in order to provide the widest compatibility, certificate chains continue to list the old expired root certificate after the new one. The idea as I understand it is that browsers should see the ISRG Root X1 certificate, realize that it itself is already trusted by the OS or browser, and not even look at the next expired DST Root CA X3 certificate in the chain.

They advertised this root certificate expiration as being a very minor situation, but unfortunately it seems that a large portion of Apple devices cannot deal with this change. On many Macs, it seems that the entire certificate chain is being validated, and the expired extra root certificate is causing the connection to be disallowed. What alerted me to the problem in the first place was seeing many failed builds on our Buildbot system due to fetch failures.

I'm not certain what to do to address this. On the web servers we control, we can apparently remove the expired DST Root CA X3 certificate from the chain that we send. That will help those systems that already trust ISRG Root X1. I'm not sure how far back that is. For older systems, we can modify master_sites.tcl and archive_sites.tcl to change which OS versions try to access our mirror servers via https. None of this necessarily helps our build server be able to mirror distfiles in the first place. If you have ideas, let me know.


More information about the macports-users mailing list