View All Products
Compute
Storage
Networking
Databases
Services
Developer Tools
Industries
Pricing
Community
Engage With Us
Community Questions Expired SSL certificate errors - Object Storage
Log in to Ask a Question

Expired SSL certificate errors - Object Storage

Linode Staff

I’ve been getting errors about my SSL certificate being expired when trying to access object storage buckets. How do I resolve this?

1 Reply

Linode Staff

If you’ve been seeing these errors as of September 30, 2021 it’s likely a result of the recent expiration of IdenTrust's root certificate, DST Root CA X3.

Tl;dr - It can take a while (years) for a Certificate Authority (CA) to have their application for their own root certificate approved. Once it is approved they face the uphill battle of getting that certificate propagated across global devices which will happen through device and software updates. In the meantime they can use cross-signing to serve secured content through another CA's root certificate.

Since Let’s Encrypt began, they’ve been using a cross-signed root certificate (DST Root CA X3) through IdenTrust - a long-time CA who’s certificates have been around for a while and therefore provide backwards-compatibility for older browsers and devices that haven’t been updated to include newer root certificates. A more detailed backstory can be had here:

As mentioned above, DST Root CA X3 expired on September 30, so Let’s Encrypt is solely reliant on their own root certificate, ISRG Root X1. If users are working with older devices, browsers, or OpenSSL versions that don’t include this trusted root certificate, users will experience error messages stating their SSL cert has expired.

A full list for ISRG Root X1 compatibility can be found here:

And a more detailed explanation of these changes - what they mean and how they work - can be found in these detailed blog posts:

Essentially users will need to ensure they’re working with updated devices and software in order to get their devices to trust these newer root certificates.

For those using an older version of OpenSSL (<= 1.0.2), instructions on how to build workarounds are detailed in the below OpenSSL blog post:

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Log in to Reply
Community Code of Conduct