DST_Root_CA_X3.pem no longer exists

Hi all.

I have an urgent issue. My domain is not a public domain that I can share. I have a server running on NGINX, it powers an network of IoT devices, these devices connect using the /etc/ssl/certs/DST_Root_CA_X3.pem the entire network is down. After a power cut last night, today I rebooted the server and started all the services and they all fail. DST_Root_CA_X3.pem no longer exists in the path above. Please can someone advise what to do to get these devices running again. /etc/ssl/certs/DST_Root_CA_X3.pem is passed to tls_set of the PAHO library. I am aware that the chain was due to expire on 30th but it has happened earlier and I am not sure what the correct chain is to pass to the MQTT library.
Thanks in advance.

As always, as soon as I posted the issue I found the fix. For anyone that may face this in their own networks you need to use /etc/ssl/certs/ISRG_Root_X1.pem in my case this solved the issue.

1 Like

Yes the default letsencrypt chain now goes via ISRG_Root_X1.pem then to DST_Root_CA_X3.pem. And yes one should pin things up to ISRG_Root_X1.pem.

Are you using Ubuntu? Because in Ubuntu we have removed DST_Root_CA_X3.pem already, which fixes connectivity to letsencrypt protected websites with old unpatched OpenSSL GnuTLS for the upcoming expiry this Friday.


Hi xnox, yes I am using Ubuntu 20.04. All is resolved now thankfully :slight_smile:

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.