Table of Contents
Why is my website showing insecure even using Let’s Encrypt SSL?
A lot of websites are having security issues with the Let’s Encrypt SSL recently, but why is the website showing insecure when you are using an SSL? According to Let’s Encrypt, the browser of the PC or smartphone that constantly updates will have the ISRG Root X1 root certificate to let users access the website with Let’s Encrypt SSL smoothly. Those who did not update the operating system regularly(like Windows, Android, iOS, macOS, etc.), can access the website through the DST Root CA X3 root certificate.
However, the DST Root CA X3 root certificate has expired on 30/9/2021, which makes the users that are using an older version of the operating system or OpenSSL unable to access the website or insure note will be shown.
How to fix the SSL certificate problem?
There are two ways that you can fix the above problem:
1. To notify the users to update the operating system more often in order to access the websites.
This solution might not be suitable for all users since there are users that might not be familiar with the system or users who do not have the habit of updating their system might not like to follow the notes. Moreover, there might be users that are using equipment that is too old and can not support the newest version of the OS. For these users, the website with Let’s Encrypt SSL will be unable to access successfully or be shown insured.
2. Change the SSL certificate.
The root certificate of paid SSL and free SSL is not the same. For now, there are no problems reported for paid SSL, that’s why a paid SSL is recommended. A paid SSL not only fixes the above problem but also increases the website security for visitors, and can avoid certificate expiration in a short period or certificate failure.
▶ To learn more about The difference between free SSL and paid SSL certificate – How to choose?
▶ To learn about SSL Certificate and how to purchase
What version of the system might not be able to access the website successfully?
The following list is announced by Let’s Encrypt:
Compatible software:
Mozilla Firefox >= v2.0
Google Chrome
Internet Explorer on Windows XP SP3 and higher
Microsoft Edge
Android OS >= v2.3.6
Safari >= v4.0 on macOS
Safari on iOS >= v3.1
Debian Linux >= v6
Ubuntu Linux >= v12.04
NSS Library >= v3.11.9
Amazon FireOS (Silk Browser)
Cyanogen > v10
Jolla Sailfish OS > v1.1.2.16
Kindle > v3.4.1
Java 7 >= 7u111
Java 8 >= 8u101
Blackberry >= 10.3.3
PS4 game console with firmware >= 5.00
Incompatible software:
Blackberry < v10.3.3
Android < v2.3.6
Nintendo 3DS
Windows XP prior to SP3
cannot handle SHA-2 signed certificates
Java 7 < 7u111
Java 8 < 8u101
Windows Live Mail (2012 mail client, not webmail)
cannot handle certificates without a CRL
PS3 game console
PS4 game console with firmware < 5.00
Reference:
https://letsencrypt.org/zh-tw/docs/dst-root-ca-x3-expiration-september-2021/
https://letsencrypt.org/zh-tw/docs/certificate-compatibility/
Best SSL certificate services recommend ➝ SSL certificate from Yuan-Jhen