Skip to main content
undefined
undefined

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

undefined

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Invalid certificate error

October 4, 2021

Bottom line up front

The expiration of a Certificate Authority’s root certificate may be causing some issues when client applications attempt to access sites on cloud.gov and Federalist (as well as other sites on the Internet). The issue disproportionately affects users with older operating systems and/or browsers, and fixing the issue is outside of our control.

More details

Cloud.gov uses Let’s Encrypt to provision the TLS certificates on our platform. Let’s Encrypt has their own root certificate (named ISRG Root X1 ), and a set of intermediate certificates (named Let's Encrypt Authority X1 , Let's Encrypt Authority X2 , Let's Encrypt Authority X3 , and Let's Encrypt Authority X4 ). These intermediate certificates allow clients to build a trust chain to Let’s Encrypt’s root certificate ISRG Root X1 . Additionally, these certificates are cross-signed to allow clients to build a trust chain to a different Certificate Authority’s root certificate - IndenTrust’s DST Root CA X3 . Let’s Encrypt has done this since 2016, and does so to maximize client compatibility. You can read more
about Let’s Encrypt’s certificate heirarchy and the reasoning behind it here.

The core issue is that on September 30, 2021, the DST Root CA X3  expired. For well-behaved clients with up-to-date trust stores, this causes not problems. For other clients, this can cause problems:

  • A client with DST Root CA X3  as a trust anchor but not ISRG Root X1 , they will probably get a certificate validation error because DST Root CA X3  expired earlier that day.
  • A client with both certs in their trust anchors may give up after constructing a chain to the expired DST Root CA 3 , but most well-behaved clients will continue checking for a valid chain, and will find the chain to ISRG Root X1 .

However, either client configuration is wholly outside cloud.gov’s control and users will need to address this issue manually or get help from their respective IT departments.

Some additional information may be available on the Let’s Encrypt community forum.

this post was was modified October 8th, 2021. You can see the original content here