The AddTrust External Root certificate expired last Saturday. This was planned, but due to an incorrect implementation, some clients continue to try to build a certificate chain for the expired root certificate, fail and then report an incorrect certificate.
Actually, the expiry of the certificate should not be a problem. Sectigo owns and uses newer root certificates that are still valid. Modern clients trust these root certificates and automatically use certificate chains that use these newer root certificates. All common browsers behave this way and are therefore not affected by the problem.
The problem arises from an intermediate certificate that servers send especially for older clients. Very old clients who did not trust the newer root certificates from Sectigo could use the intermediate certificate to create a certificate chain for the root certificate. The intermediate certificate, like the affected root certificate has now expired, which should only affect the very old clients described.However, more modern clients who trust the newer root certificates should find that they can construct a valid certificate chain even without this intermediate certificate – just by using the newer root certificates.
Older Versions Of The OpenSSL Libraries Are Apparently Affected
Programs that use these libraries try to build a chain over the expired intermediate certificate even if this is not really necessary because they trust the newer roots of Sectigo. But because the intermediate certificate has now expired, these clients fail and report a certificate error, which in the worst case does not even show which certificate has expired.
Users affected by the problem can try to remove the AddTrust External Root from the certificates that their system trusts. At least some systems can handle an unknown certificate better than an expired one and then switch to certificate chains to the newer root certificates. With appropriate updates from the client, AddTrust External Root should also automatically disappear from systems sooner or later.
