Convox Community

Warning: If you provide an API, you may see some SSL certificate errors for a few customers after switching from AWS ACM (v2 rack) to LetsEncrypt (v3 rack)

One thing I would have liked to know earlier is that LetsEncrypt’s DST Root CA X3 expired on September 30, 2021: DST Root CA X3 Expiration (September 2021) - Let's Encrypt

If you provide an API or have to support IoT devices, you’ll need to make sure of two things: (1) all clients of your API must trust ISRG Root X1 (not just DST Root CA X3), and (2) if clients of your API are using OpenSSL, they must use version 1.1.0 or later. In OpenSSL 1.0.x, a quirk in certificate verification means that even clients that trust ISRG Root X1 will fail when presented with the Android-compatible certificate chain we are recommending by default.

My service does provide an API. After I migrated my DNS from my v2 rack to the new v3 rack, a small number of customers experienced some downtime due to “expired SSL certificate” errors. They were using older versions of Node.js, or hadn’t updated their OS packages for a while. It wasn’t too bad, but you should keep this in mind before switching from a v2 to a v3 rack. Before you make the jump, try to search your logs for outdated versions of Node.js, and maybe give your customers a heads up by sending them an email in advance. I hope that helps, and I’d be happy to answer any questions in case you’re going through the same process.