Repairing the Chain of Trust

/ 11 October 2021

Some of you may have heard from your customers or website users that your site is no longer accessible and instead is showing a message warning that the site is “not private” or that a “secure connection” cannot be established. We wanted to explain what is happening and how your users can resolve the problem.

The web has been with us for nearly 30 years, and one of the big changes behind the scenes on websites has been how we verify that a site is what we think it is. As the web emerged in 1993 there was no effort to demonstrate that trust, we just believed what we saw. But over the last ten years there has been a shift to “secure” the web using certificates, facilitated by the emergence of free and inexpensive certificates from trustworthy sources. We use the most common of those free sources with our client sites: Let’s Encrypt.

At the end of September 2021 an old “root certificate” for Let’s Encrypt expired. Let’s Encrypt had long since moved on to a new copy of that root certificate and most modern devices have since had software updates that included this new root certificate. But “most” is not “all” and some older devices have not been updated. These devices don’t know about the new Let’s Encrypt root certificate and, as a consequence, are not aware that they can trust other Let’s Encrypt certificates like the ones on your site.

You and we can do little to fix this problem. Indeed, we may not even experience it if our browsers have been updated recently enough. If you do field a complaint of this sort, though, the person who is experiencing the problem can fix it by installing the new Let’s Encrypt root certificate manually. In order to help them do this we have prepared a brief “how-to” post that they can follow. Please direct anyone who needs this information to our “Installing the new Let’s Encrypt root certificate” post. Make sure they use the insecure HTTP version of this link since they will not be able to access the regular secure version of our website: http://www.tenseg.net/install-cert/.