voltone
PSA: preventing outages due to DST Root CA expiry on Sep 30th
On September 30th, the root CA certificate DST Root CA X3 will expire. Let’s Encrypt have started rolling out a creative certificate chain to servers that use their certificates, which unfortunately may trip up some Erlang/Elixir applications once that DST Root CA expires. This could lead to outages due to failed TLS handshakes on the connection between such applications and those servers/services. Recent versions of Erlang/OTP include a fix that prevent those issues.
If you run an application on the BEAM that may communicate over TLS with one or more servers/services that present a Let’s Encrypt certificate, the safest thing to do is make sure the application is running on Erlang/OTP 23.3.4.5 or later, or 24.0.4 or later. If that’s not an option, check out this post for other, client and OTP-version specific recommendations.
Keep in mind that, due to client connection pools and TLS session reuse, an affected application may continue to function normally until some time after September 30th when the first new TLS handshake takes place…
Edit - let me clarify, this is not about servers (e.g. Phoenix apps) that have a Let’s Encrypt certificate, it is about any application that connects to a server with a Let’s Encrypt certificate, e.g. through an HTTP client, an MQTT client, a higher-level API client that uses an HTTP client, etc. That could include Phoenix apps, but also CLI tools, CI/CD scripts, embedded devices, …
Most Liked
chrismccord
dimitarvp
You are a treasure, man. Thank you!
voltone
Mint v1.4.0 was released, with a fix to ensure it connects successfully even on affected OTP versions.
Popular in Discussions
Other popular topics
Categories:
Sub Categories:
Forums
Popular Tags
- #ecto
- #liveview
- #troubleshooting
- #learning-elixir
- #deployment
- #library
- #erlang
- #testing
- #genserver
- #mix
- #absinthe
- #remote-other
- #otp
- #plug
- #how-to-question
- #macros
- #postgres
- #channels
- #elixirconf
- #exunit
- #discussion
- #code-sync
- #javascript
- #podcasts
- #onsite
- #dialyzer
- #docker
- #authentication
- #umbrella
- #full-time-contract
- #podcasts-by-brainlid
- #ecto-query
- #elixir-ls
- #phoenix_html
- #iex
- #blog-post
- #graphql
- #genstage
- #ai
- #websockets
- #supervisor
- #advent-of-code
- #elixirconf-us
- #distillery
- #processes
- #forms
- #api
- #metaprogramming
- #security
- #performance









