Open SergioGlorias opened 4 months ago
Have you tested this? Without lichess1.org, the whole site should be broken but I didn't notice any issues trying with iOS 14 in Browserstack. Checking the certificate chain with openssl, it looks like Cloudflare is using a cross-signed version of ISRG Root X2:
In addition, all platforms which trust ISRG Root X1 also trust the cross-signed version of ISRG Root X2.
Also would be surprised if Cloudflare would drop support for iOS 16 already.
Though ultimately, at some point older certificates expire anyways and there's nothing we can do against that. At some point, a device that doesn't receive any more updates becomes so outdated that it just can't be used anymore. Looks like ISRG Root X1 still has a decade left but we've already had this happen with the previous one a few years ago.
I haven't tested it directly, but I'm seeing who is having problems Regarding iOS 14, there may have been an application update to extend support As happened with Android 7 and below Which currently no longer trusts lichess.org's current SSL certificate
I could also ask about it being android 14+
In addition, the operating system's internal systems may no longer have the certificate, but application certificates do.
Do you have any specific cases/versions that are having SSL issues? As mentioned, it looks like Cloudflare is using the cross-signed version of the X2 certificate which, according to the Let's Encrypt page you linked, works on all devices that trust X1.
Which makes sense, Android 14 only released last year, there's no way Cloudflare would already break that. Same for iOS 16 as already mentioned above.
As for devices that don't even trust X1, I'm not sure we can reasonably do much about that. The best option is probably to use something like Firefox which has its own trust store. But such devices must already be lacking years of security updates and probably shouldn't connect to the internet at all. Given how ubiquitous Let's Encrypt is, they probably also can't use most other websites either.
Exact URL of where the bug happened
In Moment:
lichess1.org
(full domain) andcf-socket
But in the future it could affect the entire domain.Steps to reproduce the bug
What did you expect to happen?
Lichess work
What happened instead?
The domain
lichess1.org
is unable to connect due to SSL errorOperating system
Any system off the list https://letsencrypt.org/docs/certificate-compatibility/#platforms-that-trust-isrg-root-x2 (ISRG Root X2)
Browser and version (or alternate access method)
Any Browser off the list https://letsencrypt.org/docs/certificate-compatibility/#platforms-that-trust-isrg-root-x2 (ISRG Root X2)
Additional information
The domain
lichess1.org
uses Cloudflare proxies Since May 15th, Cloudflare has started using Let’s Encrypt'sISRG Root X2
certificates instead ofISRG Root X1
Which means that any navigation system that is older than those mentioned in the list will have problems using Lichess.orgNOTE: Androids with an earlier version 7.1.1 are also unable to use Lichess with
ISRG Root X1
certificates (which is the currentlichess.org
), which in turn google had already postponed the problem and that date has passed.