A Let's Encrypt root certificate is expiring next year. Are the gateways ready?

Gateways that do not get any firmware update, might be in trouble when they stop trusting the root certificates used by TTN. According to “An Internet of Trouble lies ahead as root certificates begin to expire en masse, warns security researcher” in The Register last week:

When will the next widely used root certificate expire? “Possibly March next year,” he says. “Within the next 12 months we’re going to have lot of things breaking, or hopefully a response from the industry to start fixing stuff.”

One potentially significant date is 30 September 2021, when the DST Root CA X3 certificate used by many Let’s Encrypt certificates expires. Again, it is no use simply updating the certificate on the server; the client must have an updated root certificate for this to be effective.

The researcher’s own blog was a bit more alarming, quoting Let’s Encrypt:

Update, May 20 2019

Due to concerns about insufficient ISRG root propagation on Android devices we have decided to move the date on which we will start serving a chain to our own root from July 8, 2019, to July 8, 2020.

But that blog also explains:

Let’s Encrypt are currently using a cross-signed intermediate and chain down to the IdenTrust DST Root CA X3 certificate. That root certificate expires on 30th Sep 2021 […]

Given that The Register’s interview does not mention July 2020, I think Let’s Encrypt does not currently plan to stop using their cross-signing workaround for certificates that are issued after July 8, 2020. And “Let’s Encrypt new hierarchy plans” on their forum seems to confirm that the deadline is September 2021 indeed:

Let’s Encrypt will be issuing new intermediates and a new root certificate in the coming months. We’re publishing our proposed issuances so we can get feedback from the community and root programs about these plans and potentially make them better.


  • We need to generate new RSA intermediates to replace Let’s Encrypt Authority X3 and Let’s Encrypt Authority X4, which have cross-signs expiring in March 2021.
  • We want to get additional cross-signatures on some of our intermediates from IdenTrust’s DST Root X3. This will extend our trust on older devices (including Android pre-7.1). The new cross-signs will expire September 2021.

TTN uses Let’s Encrypt, and endpoints such as https://account.thethingsnetwork.org/api/v2/frequency-plans/EU_863_870 still use DST Root CA X3, not only ISRG Root X1 CA.

As for gateways being ready:

  • It seems the Kickstarter The Things Gateway was updated May 2019 to prepare for using the new root certificate. Make sure you get that update.

  • The old Semtech UDP forwarder does not use any TLS at all? (Can anyone confirm?)

  • For other gateways, especially when installing new ones in the coming months, it might be time to investigate?

1 Like

That’s right. No TLS.

1 Like

…And the MP-PF status/TLS/Cert use, Jac?

No TLS. I never found a TLS library with the right license and features that it could be used with MQTT and not require too much resources.

Ok thanks, :+1: