Skip to main content
U.S. flag

An official website of the United States government

Invalid certificate error

October 04, 2021

Bottom line up front

The expiration of a Certificate Authority’s root certificate may be causing some issues when client applications attempt to access sites on cloud.gov and Federalist (as well as other sites on the Internet). The issue disproportionately affects users with older operating systems and/or browsers, and fixing the issue is outside of our control.

More details

Cloud.gov uses Let’s Encrypt to provision the TLS certificates on our platform. Let’s Encrypt has their own root certificate (named ISRG Root X1), and a set of intermediate certificates (named Let's Encrypt Authority X1, Let's Encrypt Authority X2, Let's Encrypt Authority X3, and Let's Encrypt Authority X4). These intermediate certificates allow clients to build a trust chain to Let’s Encrypt’s root certificate ISRG Root X1. Additionally, these certificates are cross-signed to allow clients to build a trust chain to a different Certificate Authority’s root certificate - IndenTrust’s DST Root CA X3. Let’s Encrypt has done this since 2016, and does so to maximize client compatibility. You can read more about Let’s Encrypt’s certificate heirarchy and the reasoning behind it here.

The core issue is that on September 30, 2021, the DST Root CA X3 expired. For well-behaved clients with up-to-date trust stores, this causes not problems. For other clients, this can cause problems:

  • A client with DST Root CA X3 as a trust anchor but not ISRG Root X1, they will probably get a certificate validation error because DST Root CA X3 expired earlier that day.
  • A client with both certs in their trust anchors may give up after constructing a chain to the expired DST Root CA 3, but most well-behaved clients will continue checking for a valid chain, and will find the chain to ISRG Root X1.

However, either client configuration is wholly outside cloud.gov’s control and users will need to address this issue manually or get help from their respective IT departments.

Some additional information may be available on the Let’s Encrypt community forum.

this post was was modified October 8th, 2021. You can see the original content here

Suggest edits

cloud.gov

An official website of the U.S. General Services Administration

Looking for U.S. government information and services?
Visit USA.gov