The Great SSL Certificate Expiry of 2020 (and how I fixed my email)
On 30th May 2020, shortly after 10:38 UTC, the email app on my phone stopped working, with a cryptic warning that the SSL certificate being used had expired.
Naturally I contacted my email service provider. How could they let such a terrible thing happen?
They checked, assured me their SSL certificate was in good order, but had it re-issued just in case.
I waited. It still didn't work. So I phoned them again. They promised to escalate the problem to the next level of support, and after a while the error message on my phone changed. Instead of an expired certificate it was reporting an untrusted root. I cursed their incompetence, but then I discovered that the email client on another machine was now working. So this was something specific to my Android phone.
Finally I lucked upon this article Fixing the Breakage from the AddTrust External CA Root Expiration which explained what had gone wrong.
The SSL certificate used by my email provider was signed by a certificate provider whose certificates were in turn signed by the root certificate authority "AddTrust AB", whose certificate was recognized as a trusted root by my phone. Unfortunately this trusted root's certificate expired on 30 May 10:30:48 UTC. My email app detected this, and reported (in a confusing manner) that the mail provider's certificate had expired.
The idea in SSL is that critical things get signed by a certificate to show that they have not been tampered with. This certificate in turn gets signed by another certificate (to show it is genuine), and this repeats until you arrive at a certificate which you implicitly trust. In practice, there are hundreds of certificate signing authorities you need to implicitly trust (each country has several), and your phone or other device has a built in list of which certificates it trusts.
The problem now was that after the email provider's fix, it still didn't work. My Android phone is quite old, and hasn't had any updates for a couple of years. As a consequence, my email app didn't know about the new-ish root certificate which my email provider was now using, and therefore the secure connection still failed. I was worried at this point that I might need to buy a new phone.
But fortunately that was not the case.
I used the Comodo SSL checker tool, giving the tool the hostname and port which my email program connected to. (e.g. mail.example.com:465) This showed the certificate chain from my email provider, and showed that the email SSL certificate was now signed by COMODO RSA Domain Validation Secure Server CA. After more searching, I found a place where Comodo certificates could be downloaded buried deeply in the support section of Comodo's website.
This gave me a number of certificates to choose from, many or which were already pre-expired!
So finally (skipping a lot of paths which led nowhere):
- I downloaded the ".crt" file for COMODO RSA Domain Validation Secure Server CA (which expires on 11 February 2029) onto my Android device.
- I also added the".crt" file for Comodo RSA Certification Authority certificate.
- I dismissed the warning on my phone that somebody could intercept my communications because I had manually added trusted certificates.
And my email started working again… or at least start working until 2029, when the new certificate expires.
On my phone I had the opportunity to manually installl additional trusted certificates. But what about all the poor orphaned IoT devices out there?
Judging by the number of certificates expiring in 2038, everything then will fall apart then.
If we all get that far.