Expired DST Root CA X3

phoezay.medialink · January 9, 2022, 10:31am

Hi,

I've been looking to resolve the expired DST Root CA X3 for quite sometimes but did not find any solutions. Could you please advise how to remove this expired certificate or resolve the issue?

My domain is: web2print.com.sg

I ran this command: ssllab

It produced this output: DST Root CA X3 Self-signed
Fingerprint SHA256: 0687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd6770739
Pin SHA256: Vjs8r4z+80wjNcr1YKepWQboSIRi63WsWXhIMN+eWys=
RSA 2048 bits (e 65537) / SHA1withRSA
Valid until: Thu, 30 Sep 2021 14:01:15 UTC
EXPIRED
Weak or insecure signature, but no impact on root certificate

My web server is (include version): apache

The operating system my web server runs on is (include version): Ubuntu 18.04 Apache

My hosting provider, if applicable, is: NA

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 0.31.0

Thank you.

Osiris · January 9, 2022, 11:36am

Is there actually an issue or are you just looking at the SSLLabs output and you think something is wrong?

phoezay.medialink · January 10, 2022, 1:15am

Hi Osiris,

Thanks you for reply. This was my previous question with regards to expired SSL issue was exposed in nexpose VA scan report.

I need to resolve this issue ASAP otherwise auditor will be questioning me. Thank you.

webprofusion · January 10, 2022, 2:28am

Change your preferred chain to "ISRG Root X1", which is the unexpired root. Let's Encrypt defaults to the expired "DST Root CA X3" chain mainly for compatibility with old android versions.

Changing to ISRG Root X1 will however reduce your services compatibility with old/not-updated operating systems.

Osiris · January 10, 2022, 6:10am

Only Android, as, AFAIK, Android is the only OS which is fine with expired root certificates.

webprofusion · January 10, 2022, 9:01am

Android and anything else that doesn't know ISRG Root X1. Turns out the whole Windows will just update itself thing wasn't quite the full story.

Osiris · January 10, 2022, 9:08am

I'm not familair with systems other than Android that will ignore the notAfter date of a root certificate?

webprofusion · January 10, 2022, 9:20am

Good point, so what you're saying is if you don't trust ISRG Root X1 you probably can't access anything using a Let's Encrypt cert, unless you are on Android.

Osiris · January 10, 2022, 11:39am

Jep, that's correct as far as I know.

phoezay.medialink · January 11, 2022, 2:10am

Managed to resolve using preferred chain method.

system · February 10, 2022, 2:10am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
DST Root CA certificate not yet valid - Fixed Help	6	775	September 18, 2022
CERTIFICATE_VERIFY_FAILED in application since DST Root CA X3 Expiration Help	2	542	December 2, 2021
Problem with site after DST Root CA X3 expiration Help	3	578	November 25, 2021
DST Root CA X3: expired since 2021 Help	5	1477	January 18, 2023
DST Root CA X3 Expiration Help	12	1104	December 1, 2022

Expired DST Root CA X3

Related topics