With the expiry of the old Let’s Encrypt root certificate earlier in the year, it caused problems for devices that hadn’t updated root certificates in the last 5 years or so, therefore weren’t able to validate certificates being issued.
As a work-around for these old devices, Let’s Encrypt added a second intermediate certificate, signing the new intermediate with the old Root certificate.
That old root certificate expired a few days ago, and in the vast majority of cases the extra intermediate isn’t used and is ignored as irrelevant, but in a few cases the intermediate being present and signed with a now-defunct root certificate causes problems.
This affects Sympl as it evaluates the full certificate chain to determine if a certificate has expired or not, and the library being used doesn’t ignore the extra intermediate, which meant that sympl-ssl was considering all Let’s Encrypt certificates invalid, leading it to renew them all.
With sympl-core version x.20211003.0 released earlier today, the superfluous intermediate certificate is now automatically removed from the ssl.bundle and ssl.combined files when it follows the normal certificate, which should mean that Sympl no longer considers certificates invalid.
Longer term, sympl-ssl is being re-implemented and will be replaced with a new version at a later date.
