Let's encrypt root certificate change

Anyone know if the changes described here are likely to impact on node-RED users?
I see that it makes particular reference to api's & IoT devices, but I don't really understand the implications...

Hello @Paul-Reed,

Trying to make a long story short:
there is at least one authority, which is trusted by everyone (in real there are more than one). The certificates, which are trusted/ created by this authority are therefore trusted by every client.

If this organization now has to change his name (root certificate), everyone needs to trust the authority with the new name. Some clients are not able to make the switch to the new name (root certificate) and therefore new certificates, which are trusted/ created by the organization with the new name are not trusted by the older clients (as they do not know the new name).

So, coming back to node-red:
Every client, which is connecting to a secured server (like the server hosting node-red) via https might be affected. But I guess node-red will not be effected as you usually access node-red via browser or maybe webhook.

What might be more interesting: mosquito
If you are accessing mosquito via https and the IoT devices need to access the server via https, you have to clarify, if they are trusting the new root certificate (organization with the new name).

I hope I summarized everything correct and understandable.

Cheers
Ranki

1 Like

I would guess that it might affect anything that doesn't update its valid root certificate store.

Thankfully these issues are now few and far between. I would think that things like Mosquitto will be using 3rd-party TLS libraries which will reference an updatable store whether the credential store on Windows or the root certificate list on Linux (probably via OpenSSL). So as long as you are using an Operating System that is still under support, you should be fine. Older IoT devices that support TLS are few and far between anyway so probably not a problem for the majority of people.

Things like old routers or NAS's not receiving updates could also have issues however they are probably not using LE anyway so no problem there.

Node-RED itself shouldn't therefore have an issue unless you run it on an ancient Linux device where you've not updated the OS in a long time. If you are in that situation, I strongly recommend a fresh build.

1 Like

Hello @TotallyInformation,

Just for my information:
I think the problems can only occur on client side, if they do not have the new root certificates, because they do not know, if they can trust. I think the server (e.g. hosting node-red), which is providing a certificate to the client does not need to have the corresponding root certificates in his storage. Am I right?

Cheers
Ranki

Hey Paul,
You can also have a look ar their certificate chain, to see to which root certificate your server certificate belongs.
Recently @geoffreydemaagd had an issue with my node-red-contrib-letsencrypt node. Reasen appeared to be that I store both the server certificate and the Letsencrypt intermediate certificate are stored into the cert.pem file. I should have a look whether clients with a new/old root certificate would run into troubles, due to an incomplete chain...

1 Like

Yes, I had similar problems about 18 months ago, so I always advise users to use the fullchain.pem certificate instead of the cert.pem to complete the chain.
The Letsencrypt Leader - Juergen Auer, said why this was necessary (for node-RED users) in this thread.

2 Likes

I'd forgotten about that but yes I also always use the fullchain.

I think you are right but don't forget that the client can be on the server as well as the server :grinning:

2 Likes

Good point!

To be honest, I hadn't even thought about a desktop/mobile client because if you are using one of those that isn't being updated, you have much bigger problems!

This is the certificate chain that is setup by my letsencrypt node:

image

So yes indeed, I hope that my browsers (Android and Windows) will have the new root certificate in september. Of course I can always trust it myself temporarily...

I only use it for my remote connection via a browser to my Node-RED system. Not for inter-server communication...

Same here using certbot

cert

Seems you have an extra level "ISRG Root X1" ....

Your chain goes via 1-2-3 while mine goes directly via 4-5:

image

Not in the mood for digging further into this tonight :wink:

I'm using your letsencrypt node in one of my sites, and see the same certification path as you (4-5).
But....
Just requested a new certificate, and it's now 1-2-3
So maybe it's a change made by letsencrypt??

@BartButenaers did you try requesting a new certificate, as in my last post.

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.