Let us Encrypt DST Root CA X3 expiration

On 30 September 2021, the DST Root CA X3 certificate that Let us Encrypt used for cross-signing expired. While Let us Encrypt had transitioned to their own ISRG Root X1 certificate (trusted by most modern systems), older devices and operating systems without ISRG Root X1 in their trust stores experienced TLS validation failures. The expiration affected legacy Android devices (pre-7.1.1), older macOS/iOS versions, and systems with outdated CA bundles.

Technical background

Let us Encrypt began operations in 2015 using certificates cross-signed by IdenTrust's DST Root CA X3, which had broad trust store inclusion. This allowed Let us Encrypt certificates to be trusted by clients before ISRG Root X1 achieved widespread distribution. By 2021, ISRG Root X1 was included in most modern operating systems and browsers.

To maintain compatibility with older Android devices, Let us Encrypt obtained a special cross-sign from IdenTrust allowing certificates to chain to DST Root CA X3 through ISRG Root X1, exploiting Android's trust validation behavior. This extends compatibility until 2024 for many older Android devices.

Impact and mitigation

Systems affected included Android 7.0 and earlier (approximately 33% of active Android devices at the time), older embedded systems, IoT devices with static trust stores, and servers with outdated CA certificate bundles. Affected clients received certificate validation errors when connecting to sites using Let us Encrypt certificates.

Server operators could mitigate issues by configuring their web servers to send the appropriate certificate chain—either including or excluding the expired cross-sign depending on client population. OpenSSL 1.0.2 users experienced issues due to strict chain validation, requiring upgrades or configuration changes.

Lessons for infrastructure teams

The DST Root CA X3 expiration highlighted the importance of maintaining current CA certificate bundles across all systems, including servers, clients, and embedded devices. If you are affected, inventory systems with static trust stores and establish processes for trust store updates.

Plan for future root certificate transitions by monitoring certificate authority announcements and testing client compatibility. Consider TLS termination architectures that simplify certificate management and enable rapid chain configuration changes. The incident showed how certificate authority trust relationships can create unexpected dependencies affecting service availability.

Infrastructure Planning and Design

Infrastructure planning should incorporate the technical requirements and operational considerations associated with this development. Capacity planning, performance requirements, availability targets, and disaster recovery considerations should be addressed during the design phase to ensure infrastructure supports organizational objectives.

Change management processes should account for the specific technical dependencies and potential impacts of infrastructure modifications. Testing procedures should validate that changes do not introduce operational disruptions or security vulnerabilities before deployment to production environments.

Assessing infrastructure

Infrastructure teams should conduct full assessments to identify affected systems and focus on remediation based on exposure and criticality. Patch management processes should account for the specific technical requirements and potential compatibility considerations associated with this update. Testing procedures should validate that patches do not introduce operational disruptions before deployment to production environments.

Monitoring should continue post-remediation to verify successful setup and detect any exploitation attempts targeting systems that remain vulnerable during the patching window.

More on this topic

Further reading from our research library.

Infrastructure · Credibility 88/100 · October 5, 2021

Endpoint — Windows 11 General Availability

Microsoft began the Windows 11 rollout on October 5, 2021, introducing a redesigned interface, Windows Subsystem for Linux improvements, and stricter hardware security baselines for managed fleets.

Infrastructure · Credibility 87/100 · September 22, 2021

GPU supply chain

Global semiconductor shortages intensify constraints on GPU availability for AI workloads, driving cloud migration, alternative architectures, and supply chain diversification as organizations compete for limited…

Infrastructure · Credibility 71/100 · November 15, 2021

U.S. Infrastructure Investment and Jobs Act signed into law

President Biden signed the Infrastructure Investment and Jobs Act on 15 November 2021, allocating billions for broadband expansion, grid modernization, cybersecurity grants, and electric vehicle charging networks.

Infrastructure · Credibility 91/100 · November 18, 2021

Infrastructure Resilience Retrospective — Critical infrastructure resilience

Pandemic-era essential worker designations, U.S. supply chain orders, TSA pipeline cybersecurity directives, and FERC cold weather standards from 2020–2021 now define infrastructure resilience programs, demanding…

Infrastructure · Credibility 90/100 · November 18, 2021

Infrastructure — OpenAI

OpenAI expanded enterprise API capabilities, introducing deployment options designed for production workloads requiring enhanced security, compliance, and operational controls. These capabilities enable organizations to…

Continue in the Infrastructure pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

• Telecom Modernization Infrastructure Guide

  Modernise telecom infrastructure using 3GPP Release 18 roadmaps, O-RAN Alliance specifications, and ITU broadband benchmarks curated here.

• Infrastructure Resilience Guide

  Coordinate capacity planning, supply chain, and reliability operations using DOE grid programmes, Uptime Institute benchmarks, and NERC reliability mandates covered here.

• Edge Resilience Infrastructure Guide

  Engineer resilient edge estates using ETSI MEC standards, DOE grid assessments, and GSMA availability benchmarks documented here.

Coverage intelligence

Published

September 30, 2021

Coverage pillar

Infrastructure

Source credibility

91/100 — high confidence

Topics

Let us Encrypt · certificate expiration · TLS · trust stores

Sources cited

3 sources (letsencrypt.org, cvedetails.com, iso.org)

Reading time

5 min

Source material

1. DST Root CA X3 Expiration (September 2021) — Let us Encrypt
2. CVE Details - Vulnerability Database — CVE Details
3. ISO/IEC 27017:2015 — Cloud Service Security Controls — International Organization for Standardization