At 10am Eastern on September 30, the Let's Encrypt DST Root CA X3 certificate expired (see https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/)..) While all CallRail hosts and services had been checked and verified to be using the newer ISRG Root X1 certificate, an underlying 3rd-party component was still using the older root certificate. When the certificate expired, services using that component began to fail intra-service SSL handshakes, resulting in two customer-impacting issues:
The issue was resolved by updating the 3rd-party component to use the root certificates that have been vetted and approved for use by other CallRail services rather than using its internal SSL certificates. Additionally, all other services using the affected third-party component have been similarly updated.