There is an astonishing amount of misinformation in this thread. I know that this forum is a blend of technical, semi-technical, and non-technical folks, so I'm going to do my best to aim for the middle.
----
My credentials: I'm a principal-level software engineer with a focus on cybersecurity and cloud technology. I've worked for Amazon, WePay (the company that handles all of the payment processing for GoFundMe), and McGraw Hill Education (the company that sells the school and college textbooks that are way too expensive). I've been building things for the web for more than 20 years. There is a 90%+ chance that you have used — directly or indirectly — software I've had a hand in building. Also know that 86.4% of all percentages are made up on the spot.
----
The short version is that the entire internet works with things related to "trust", and those who are trusted "vouching" for someone else. By default, every computer, phone, tablet, gaming console, smart-anything, etc., ship with built-in definitions of people to trust (not really "people", but just go with me). Those people who are implicitly trusted by everyone have the ability to "vouch" for the trustworthiness of other people. (e.g., You're cool because they said you're OK.)
But trust isn't perpetual. Sometimes, trust expires, and you need to re-establish trust. Computer/device upgrades usually handle this for you, so that you don't have to worry about it. You simply trust the people that Apple, Microsoft, Google, Mozilla, etc., have agreed can be trusted.
In this case, one of the trusted people died. That person vouched for Let's Encrypt. Now, Let's Encrypt has found another trusted person to vouch for them, but the computers/devices that haven't been updated don't know about this new trusted person. As a result, those computers/devices no longer trust Let's Encrypt since the previous trusted person died.
Make sense-ish?
This is nobody's "fault". Technology marches ever-forward. Things that were OK one day, may be considered deprecated or unsupported another day. Technology is one where you need to keep up. I'm not saying you need to be on the bleeding edge, but conversely you need to make sure you don't fall completely off the back of the wagon either.
However, some computers/devices HAVE fallen off the back of the wagon. They are no longer supported by their vendors, and no longer receive the updates to (in this case) the list of trusted people.
Here is a well-written technical explanation of what has happened, for those who are interested:
https://scotthelme.co.uk/lets-encrypt-old-root-expiration/
----
If you're on macOS 10.11 “El Capitan” or older, you've been impacted by this. The new "trusted person" wasn't added to macOS until 10.12 “Sierra”. HOWEVER, you can manually update the list of "trusted people" by downloading a file, adding it to Keychain Access, and then telling Keychain Access that you fully trust it. (This is the same thing as Apple has done with newer macOS versions.)
Firefox is an exception because Firefox keeps it's *own* list of trusted people packaged-up inside of itself, and doesn't use the list from macOS. Firefox is not implicitly better or worse than any other web browser (outside of religious wars). But this is one area where Firefox happens to be an exception to the rule.
For those in the technological "middle", it's roughly 3 steps, and should resolve the issue for those using Safari, Chrome, or the new Microsoft Edge for macOS. Those who are less technically adept should ask for help from people they trust to come show them how.
Certificate trust mainly relies on the "root" issuing certificate (and intermediate certificates) being trusted by your computer.
docs.certifytheweb.com
Lastly, for the curious, this is a broad (but incomplete) list of things that have "fallen off the back of the wagon", technologically-speaking, and are impacted by this issue. (That's not a judgement; it's simply a boring fact.)
The main determining factor for whether a platform can validate Let’s Encrypt certificates is whether that platform trusts ISRG’s “ISRG Root X1” certificate. Prior to September 2021, some platforms could validate our certificates even though they don’t include ISRG Root X1, because they trusted...
letsencrypt.org
I hope this helps!
www.venafi.com
