App Sync Issues - "IdenTrust DST Root CA X3" Certificate Expiry

On the 30th of September 2021, the root certificate that all Let's Encrypt SSL certificates are based on, namely the "IdentTrust DST Root CA X3" certificate, expired.

 

What this means is that if any of your online services use a Let's Encrypt SSL certificate then there is a chance that some devices will no longer be able to connect to your online service(s).

 

To be more specific, if you are using a Let's Encrypt SSL certificate you likely now have an incomplete SSL chain, meaning some older operating systems and other software will reject all connections to your web service(s) because they can no longer be trusted. 

 

Affected Clients

Whether or not you will experience any disruptions depends on the software and/or operating system you use when connecting to a Let's Encrypt SSL secured web service.

 

Android in particular is insistent on completely valid SSL certificate chains, so you should expect some problems there.

 

Below is a list of all currently known clients affected by the expiry of the "IdentTrust DST Root CA X3" certificate:

  • OpenSSL <= 1.0.2
  • Windows < XP SP3
  • macOS < 10.12.1
  • iOS < 10 (iPhone 5 is the lowest model that can get to iOS 10)
  • Android < 7.1.1 (but >= 2.3.6 will work if served ISRG Root X1 cross-sign)
  • Newer Android versions may also have problems (depending on manufacturer)

 

What this means is that if you, for example, have an external web service that you connect to directly from within the app, while using an Android device and your external web service relies on the now-expired Lets Encrypt SSL chain, then the operating system *may* see all connections to your web service as not trusted and reject them.


Regenerate Your SSL Certificate

 

Given that the root LetsEncrypt certificate has expired, you must regenerate your SSL certificate and install the fresh cert on the target server hosting your external web service.

The fresh certificate from LetsEncrypt will reference a non-expired root cert, meaning there should be no further issues for most affected devices attempting to connect to your external web services.

 

 

Resolving Issues With Older Devices

 

1. Android devices

  • Upgrade your devices to use Android version 7.1.1 or newer.

2. iOS devices

  • Upgrade your devices to use iOS version 10 or newer,

3. Windows devices

 

 

Platform (WaaS) SSL Certificates

Our official advice for purchasing WaaS SSL certificates is to buy them from Comodo, so you do not have to worry about anything here unless you are using a Lets Encrypt certificate for your WaaS, in combination with an affected client/device as listed above.

 

The same possible solutions as explained above applies here as well.

 

 

More Information

Some helpful external resources that may help you in case you require more information:

  • 0 Користувачі, які знайшли це корисним
Ця відповідь Вам допомогла?

Схожі статті

Can I accept/process payments through my app?

We don't currently provide integrations for PayPal, Stripe or other payment services, and we have...

Can I add/store metadata values to user and organisation accounts?

There is often a need to have persistent data values stored against a user or organization...

Can I launch other apps on the user's device from within a Screen?

Launching other installed apps is possible only if the target app supports custom URL...

Can I print labels and other content directly from the app?

Yes, this is possible via our App Printing feature :)Search for "App Printing" in our help...

Does the app work offline (without internet connection)?

Absolutely!   Our first customer was a disaster management company, so being able to use...