{"id":33724,"date":"2021-09-24T16:49:55","date_gmt":"2021-09-24T20:49:55","guid":{"rendered":"https:\/\/mjtsai.com\/blog\/?p=33724"},"modified":"2022-02-17T09:26:32","modified_gmt":"2022-02-17T14:26:32","slug":"some-web-sites-will-stop-working-with-el-capitan-and-older","status":"publish","type":"post","link":"https:\/\/mjtsai.com\/blog\/2021\/09\/24\/some-web-sites-will-stop-working-with-el-capitan-and-older\/","title":{"rendered":"Some Web Sites Will Stop Working With El Capitan and Older"},"content":{"rendered":"

Scott Helme<\/a> (Hacker News<\/a>):<\/p>\n

On 30th September 2021, the root certificate that Let’s Encrypt are currently using, the IdentTrust DST Root CA X3 certificate, will expire. You may or may not need to do anything about this Root CA expiring, but I’m betting a few things will probably break on that day so here’s what you need to know!<\/p>

[…]<\/p>

In normal circumstances this event, a root CA expiring, wouldn’t even be worth talking about because the transition from an old root certificate to a new root certificate is completely transparent. The reason we’re having a problem at all is because clients don’t get updated regularly and if the client doesn’t get updated, then the new root CA that replaces the old, expiring root CA is not downloaded onto the device.<\/p>

[…]<\/p>

In the last year alone, Let’s Encrypt have grown their market share quite a lot and as a CA becomes larger, it’s certificates enable more of the Web to operate and as a result, when something like this comes along they have the potential to cause more problems. This is nothing to do with what Let’s Encrypt have done, or have not done, this still comes down to the same underlying problem that devices out in the ecosystem aren’t being updated as they should be.<\/p>

[…]<\/p>

Because old Android devices don’t check the expiration date of a root certificate when they use it, Let’s Encrypt may be able to continue to chain down to the expired root certificate without any problem on those older devices.<\/p><\/blockquote>\n\n

Howard Oakley<\/a>:<\/p>\n

\n

If you’re still running El Capitan, or any version of Mac OS X prior to 10.12.1, then you’re about to run into problems with some popular security certificates.<\/p>\n<\/blockquote>\n\n

macOS 10.11 was only superceded five years ago, and some older hardware can’t run 10.12. On the iOS side, an iPhone 4S can’t update to iOS 10. I get that Apple doesn’t want to provide security bug fixes that far back, but how hard would it be to have a mechanism for updating the root certificates? (Then again, even the Mac App Store<\/a> no longer works properly on macOS 10.13 due to a bad CSS URL.)<\/p>\n\n

Let’s Encrypt is quite popular now, and there are other certificates issued using the same root. Lots of sites will break, and users won’t know what to do.<\/p>\n\n

This blog and the C-Command forum<\/a> use Let’s Encrypt, and they are set to redirect HTTP to HTTPS. I haven’t decided how to handle this yet. So far, it seems like the only options are to accept the breakage or to buy a certificate from another provider.<\/p>\n\n

The main C-Command site<\/a> (which my apps use for automatic software updates) uses a different certificate that should continue to work. One of the mirror download sites does use Let’s Encrypt; if you get an error due do that you could try again until you get the non–Let’s Encrypt mirror.<\/p>\n\n

Previously:<\/p>\n