I have an urgent issue. My domain is not a public domain that I can share. I have a server running on NGINX, it powers an network of IoT devices, these devices connect using the /etc/ssl/certs/DST_Root_CA_X3.pem the entire network is down. After a power cut last night, today I rebooted the server and started all the services and they all fail. DST_Root_CA_X3.pem no longer exists in the path above. Please can someone advise what to do to get these devices running again. /etc/ssl/certs/DST_Root_CA_X3.pem is passed to tls_set of the PAHO library. I am aware that the chain was due to expire on 30th but it has happened earlier and I am not sure what the correct chain is to pass to the MQTT library.
Thanks in advance.
As always, as soon as I posted the issue I found the fix. For anyone that may face this in their own networks you need to use /etc/ssl/certs/ISRG_Root_X1.pem in my case this solved the issue.
Yes the default letsencrypt chain now goes via ISRG_Root_X1.pem then to DST_Root_CA_X3.pem. And yes one should pin things up to ISRG_Root_X1.pem.
Are you using Ubuntu? Because in Ubuntu we have removed DST_Root_CA_X3.pem already, which fixes connectivity to letsencrypt protected websites with old unpatched OpenSSL GnuTLS for the upcoming expiry this Friday.