Some users have noticed recently that their website is showing as insecure when viewed from certain browsers or devices, but not from others. The “connection not secure” message looks similar to the following:
Below we will explain why a site may appear insecure in some browsers while loading correctly in others, and we’ll provide some options for how to deal with it going forward.
All sites hosted at Pressable come with a complimentary secure socket layer (SSL) certificate powered by Let’s Encrypt for free, configured automatically. We love Let’s Encrypt because it is a free automated and open certificate (CA) authority that is intended to benefit the general public, provided by a reputable organization called Internet Security Research Group (ISRG).
Recently Let’s Encrypt announced a change to their root certificate. Essentially, their CA X3 certificate that is trusted by older browsers and devices expired, and only their newer ISRG Root X1 certificate is available. Older devices that only trust the expired root certificate will show a warning.
Does this mean my site is insecure and not protected?
Not at all! All sites hosted at Pressable are configured with an up-to-date SSL certificate from Let’s Encrypt. It just means that older devices will not correctly see the certificate because they are looking for the expired CA X3 certificate.
Let’s Encrypt shared a list of affected devices on this page: https://letsencrypt.org/docs/certificate-compatibility, which include:
On some devices, you might notice that Chrome displays a warning, while FireFox works correctly. This is because FireFox relies on its own root certificate which is compatible, while Chrome does not yet offer this (but will soon).
Also please note that some custom proxies and company firewalls may need to be reconfigured to work properly with the new Let’s Encrypt root certificate.
Ultimately this is an issue that is resulting from the need for updated programs/software. A few options to remediate the warning notices include: