Managed HTTPS certificates may be untrusted by older clients
Incident Report for Aptible
Resolved
All impacted Endpoints have been updated to use the alternative chain.
Posted Oct 05, 2021 - 14:40 EDT
Update
We will be updating dedicated stacks to use the alternative chain starting tomorrow, October 5, at 6 AM ET. We will update the status page when those changes are complete. If you would like to opt out of this change, please set the "APTIBLE_DISABLE_ALTERNATE_CHAIN" environment variable to "true" on the Apps you would like to not receive this update, or reach out to support@aptible.com.

All shared stacks, and all newly-created Managed HTTPS Endpoints, are already using the alternative chain unless the "APTIBLE_DISABLE_ALTERNATE_CHAIN" environment variable was set to "true" or our support team was notified that you would like to opt out prior to Friday afternoon.
Posted Oct 04, 2021 - 17:33 EDT
Update
Based on feedback from several sources, we’ve learned that many Aptible customers need to support legacy clients that fail to connect with the new default chain, but work with the “alternative chain” described here [0]. As a result, we’re going to migrate to using the alternative chain by default. As part of this migration process, we’ll be updating Endpoints in shared stacks to use the new certificate bundle tomorrow (October 1). We will migrate dedicated stacks after confirming no issues arise in migrating shared stacks

If you would like to opt out of this migration, please either reach out to support@aptible.com or set the "APTIBLE_DISABLE_ALTERNATE_CHAIN" environment variable to "true" on any apps you do not want us to migrate.

[0] https://letsencrypt.org/2020/12/21/extending-android-compatibility.html
Posted Sep 30, 2021 - 22:45 EDT
Update
The root cause is a change to the Root Certificate used by our Managed HTTPS provider, Let's Encrypt [0]. While we continue to use their recommended [1] certificate bundle, not all clients are capable of utilizing this bundle. If clients are having trouble connecting to one of your Endpoints due to this issue, we have an updated certificate bundle we can issue which should resolve this for you, however, this new bundle may not be supported by other clients, some of which outlined here [2] under "Known Incompatible". Please reach out to support@aptible.com to switch to this bundle.

The Aptible dashboard (dashboard.aptible.com) will temporarily continue to show that these certificates are untrusted while we work to roll out the alternative bundle to anyone impacted. If you're not impacted by this issue, you can ignore the "Untrusted" tag.

[0] https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/
[1] https://letsencrypt.org/2020/12/21/extending-android-compatibility.html
[2] https://letsencrypt.org/docs/certificate-compatibility/
Posted Sep 30, 2021 - 13:13 EDT
Investigating
We're currently investigating an issues that has resulted in Managed HTTPS certificates to be untrusted by older clients. Newer clients, including modern browsers, are not impacted by this issue.
Posted Sep 30, 2021 - 12:17 EDT
This incident affected: Aptible Deploy.