Let's Encrypt

“Let’s Encrypt” Certificate Expiration

15 October 2021 Tags:

If you use encryption in Voice Over IP telephony, chances are that you experienced issues recently, with the expiration of a root certificate from “Let’s Encrypt”. But what is “Let’s Encrypt”? How and where is it used? How does it affect your devices?

What is Let’s Encrypt?

In order to properly leverage HTTPS on a website, a certain type of file is required, specifically, a certificate, these certificates are issued by a Certificate Authority (Also known as CA). Let’s Encrypt is one free-to-use nonprofit Certificate Authority. If you need to get a certificate for the domain of your website from Let’s Encrypt, you’ll be required proof of control over such domain.

This can be accomplished by using software running on the ACME Protocol (Automatic Certificate Management Environment), that will usually run on your web host end. With tools like shell access (a.k.a. SSH Access) to your web host, you’ll be able to identify what’s the method that works better for your particular use, if a website is managed via one of the known control panels such as cPanel, Plesk or WordPress, it is most likely shell access will need to be required to the hosting provider.

The purpose of Let’s Encrypt and the ACME protocol is to allow the setup of an HTTP server and then have this automatically receive a certificate that’s trusted by web browsers, this is intended to happen without any human interaction and it is achieved by running a certificate management agent right in the web server’s end.

But Let’s Encrypt does not only issue SSL/TLS certificates for websites exclusively, they can also issue certificates for any server that actually uses a domain name, such as web servers, mail servers, FTP servers, VoIP servers, etc.

Let's Encrypt

On past September 30th, a slight change on how older browsers and devices trusted Let’s Encrypt certificates took place. On a regular website the change was not noticeable, as the major part of visitors to that website will still accept the Let’s Encrypt certificate, but if you provide an API or support to IoT devices, then some interaction might be required.

The certificate that recently expired is called DST Root X3, which is a “cross-signature” used to ensure the certificates Let’s Encrypt issue are trusted on older devices. Nowadays, newer devices will trust the newer root certificate called ISRG Root X1 as well as it’s predecessor DST Root X3, not the same case with older devices (Computers using Windows XP with Service Pack 3, MacOS 2016 and previous, iPhone 4, HTC Dream, older PlayStations, to name a few), which will not trust the newer ISRG Root X1 root certificate.

Some devices can be “tweaked” in order to trust the newer root certificates, but some other will not be able to, due to the fact these are deprecated or do not receive support or updates to their firmware anymore. In the particular case of Android devices, Let’s Encrypt has a workaround for this, allowing many Android devices trust the newer ISRG Root X1 certificate, which expires up until 2035, Android users with Nougat 7.1.1 version and earlier will be able to trust Let’s Encrypt root certificate thanks to a cross-signature that will expand the validity of it for three more years. However, Android users with version Lollipop 5.0 and earlier, may require installing Firefox for web navigation, due to the fact this browser has a built-in list of trusted root certificates.

This is where SIP telephony or VoIP comes into the equation, the expiration of the older DST Root X3 root certificate has definitely represented slight issues to users of Voice Over IP services due to the fact their devices are unfortunately not supported by the manufacturers anymore, or, for some reason, their devices firmware has not been able to update in a while, which will cause the devices to maintain the old signature for the now deprecated DST Root X3 certificate, keeping the devices from registering to any SIP server while trying to connect to their domain name and using TLS as the transport protocol.

Let's Encrypt

We have received reports of devices that can fully perform a proper registration to our servers but using UDP / TCP transport exclusively. We’re currently working closely with our partners to have updated information directly from them in order to be certain what devices will be able to undergo an update process and what other devices will not.

We will be updating our Wiki resources shortly in order to include detailed information for both the devices that will require further tweaks in order to still support encryption as well as sharing with you what devices will not be able to make it on trusting the newer root certificate that’s currently being in use widely.

Please do not hesitate to reach out to us in case you are experiencing issues at the moment to our Support email at [email protected].

Share:

Back to Blog

Related Articles

what is a dno list

Do Not Originate (DNO) List: What It Is and Why VoIP Resellers Should Care  

As robocall scams and caller ID spoofing continue to plague the telecom industry, regulators and carriers are turning to (...)
15 July 2025
Read More
microsoft teams voip

Microsoft Teams VoIP Integration: Benefits for Your Business 

If your business already relies on Microsoft Teams for collaboration, integrating VoIP is the next strategic step.    With Teams (...)
19 June 2025
Read More
what are voip codecs

What are VoIP codecs, and how do they affect call quality?

Call quality is one of the main reasons why some businesses are still hesitant to fully switch from traditional (...)
19 June 2025
Read More
We Are Here to Help with Any Questions You Have

Get in Touch With Us