I was looking forward to something happening this month in the world of PKI that has had to be postponed for the 3rd time. Let's Encrypt were going to be transitioning to their own ISRG Root certificate, but it's had to be delayed again until January 21st 2021.


The ISRG Root transition

I wrote about the original plan to transition way back in April 2019 and at that time the transition was scheduled for July 8th 2019. The first time it was postponed it was pushed back to July 8th 2020 (a whole year!), then it was postponed a few more months until September 29th 2020 and finally it's just been postponed again until January 11th 2021.

Postponing the transition isn't a real problem and won't cause any problems, the problem is why the transition keeps being postponed.

Due to concerns about insufficient ISRG root propagation on Android devices we have decided to move the date on which we will start serving a chain to our own root to January 11, 2021.

source

To summarise the problem, the Let's Encrypt ISRG Root was only created in 2015 and shortly after that it became available for all devices to download via an OS update or some other software update. If a device doesn't do an update, it does not know who/what the ISRG Root is and as a result it does not trust it. I recently wrote a detailed blog post about this problem titled The Impending Doom of Expiring Root CAs and Legacy Clients, and no, that title isn't click bait. I followed that up with another post, The Complexities of Chain Building and CA Infrastructure, to go into more detail about the problem.

To work around this issue and to get themselves up and running quickly in 2016, Let's Encrypt used something called a cross-sign to get around the problem. This is a common approach and I went into full details about that in Cross-Signing and Alternate Trust Paths; How They Work. The final piece in my huge 4 part series that started out as a simple blog post to scratch an itch was me creating a tool to simplify the process of doing my analysis, Finding alternate trust paths the easy way; Introducing Chain Builder. If you really want to understand the problem fully, and what are options are to solve it, I'd highly recommend working your way through those 4 blog posts.

The Problem

I want to be clear that this isn't a problem with Let's Encrypt nor do I think they've made the wrong call here, but this is highlighting that we have a problem in the wider ecosystem and it's just not going away. We have a huge amount of devices that haven't been updated in years and as a result, these devices have no idea about the new ISRG Root. Once the transition happens, those devices will stop trusting Let's Encrypt issued certificates, breaking the service that's using them, and this is why the transition keeps getting postponed.

Postponing the transition is a hope that one of two things will happen; either the device gets an update or the device is replaced by a newer device. As you can probably guess, this isn't really a 'solution' and the underlying problem is not going away.

This might be affecting Let's Encrypt now, and they're working on delaying the problem even further (more on that in a second), but over the coming years the problem is going to keep surfacing as other large roots start to expire.

Getting a new intermediate

The absolute last possible day we can delay this problem until is September 30th 2021, that's the day the IdenTrust Root expires and nothing can chain back to that root after that day. The other problem is that Let's Encrypt currently have an expiry date on their cross-signed X3 intermediate of March 17th 2021, prior to the expiration of the root that cross-signed it. This means even if you did want to manually configure the old cross-signed intermediate for legacy client support, you can't do so beyond that date. To give users who need that option a little more time (again, not solving the problem, just delaying it), Let's Encrypt are having a new cross-signed intermediate issued by IdenTrust that will be valid until September 29th 2021, the day before the IdenTrust root expires. I want to stress though that this will be it, last chance saloon. There are no more extensions and no more things that can be done to extend the life of the current IdenTrust path.

Our current cross-signature from IdenTrust expires on March 17, 2021. The IdenTrust root that we are cross-signed from expires on September 30, 2021. Within the next year we will obtain a new cross-signature that is valid until September 29, 2021. This means that our subscribers will have the option to manually configure a certificate chain that uses IdenTrust until September 29, 2021.

source

Further reading

I've linked to these blog posts in the above text but for the sake of clarity here are the articles I'd recommend if you really want to understand everything surrounding this problem:

Let's Encrypt to transition to ISRG root

The Impending Doom of Expiring Root CAs and Legacy Clients

The Complexities of Chain Building and CA Infrastructure

Cross-Signing and Alternate Trust Paths; How They Work

Finding alternate trust paths the easy way; Introducing Chain Builder

If you use Let's Encrypt and need to support legacy clients like very old phones, old 'smart' devices, embedded devices or just any device that likely hasn't been updated in a few years, it's probably a good idea to have a read through. That said, there's a reasonable chance your CA of choice might have the same issue in the future if you aren't using Let's Encrypt so it's better to be prepared!