Thanks! This fixed my problem.
Is this solution permanent? Do you know if it might break in the future?
Can i set auto renew using this approach?
Thanks! This fixed my problem.
Is this solution permanent? Do you know if it might break in the future?
Can i set auto renew using this approach?
So are you saying that just simply creating a new cert fixed the problem?
Wayne Sallee
Wayne@WayneSallee.com
Yes. Because the fullchain.pem had the expired cert in it.
That's the approach I tried, but on my Xubuntu NextCloud server system the certificates are held in a core18 snap file. Trying to remove them results in an error as you cannot remove components of a live snap file, the snap file itself must be rebuilt without them. So I tried that using unsquashfs and mksquashfs but then the snap file wasn't recognised.
None of my NextCloud clients can connect; they all get a certificate error.
So I'm still looking for a solution.
Actually I did. Start with this article: DST Root CA X3 Expiration (September 2021) - Let's Encrypt
You must not be getting Windows updates (as is the case with me) for it to break. Otherwise an update would have already downloaded the ISRG Root X1 root cert. Chrome, strangely, uses Windows's root certificates, while Firefox manages its own. So FF works no problem. Here is what I did: In FF go to: about:preferences#privacy and scroll to Certificates. Click View and then find ISRG Root X1 root cert. Export it, it will be saved to, say, your Desktop. Then just import it to your Trusted Root Certificate Authorities store in Windows (it's easy, just google it quick). Worked like a charm for me.
Thanks, man!
Gonna try the update and if not the FF method.
It worked! I exported it from another PC that had it and imported it on the problematic PC.
Important confusion is not to double click, but to use the IMPORT function.
Precisely. I double clicked first also.
I had some trouble using Python 3.9 on Windows 10
The standard way (up to 2021-09-30) was:
Python 3.9.5 (tags/v3.9.5:0a7dcbd, May 3 2021, 17:27:52) [MSC v.1928 64 bit (AMD64)] on win32
Type "help", "copyright", "credits" or "license" for more information.
>>> import urllib3
>>> http = urllib3.PoolManager()
>>> ret = http.request("GET", "https://community.letsencrypt.org")
which now produced the exception
Traceback (most recent call last):
File "C:\dev\git\playground-python\env\lib\site-packages\urllib3\connectionpool.py", line 699, in urlopen
httplib_response = self._make_request(
File "C:\dev\git\playground-python\env\lib\site-packages\urllib3\connectionpool.py", line 382, in _make_request
self._validate_conn(conn)
File "C:\dev\git\playground-python\env\lib\site-packages\urllib3\connectionpool.py", line 1010, in _validate_conn
conn.connect()
File "C:\dev\git\playground-python\env\lib\site-packages\urllib3\connection.py", line 411, in connect
self.sock = ssl_wrap_socket(
File "C:\dev\git\playground-python\env\lib\site-packages\urllib3\util\ssl_.py", line 449, in ssl_wrap_socket
ssl_sock = _ssl_wrap_socket_impl(
File "C:\dev\git\playground-python\env\lib\site-packages\urllib3\util\ssl_.py", line 493, in _ssl_wrap_socket_impl
return ssl_context.wrap_socket(sock, server_hostname=server_hostname)
File "C:\dev\Python\Python39\lib\ssl.py", line 500, in wrap_socket
return self.sslsocket_class._create(
File "C:\dev\Python\Python39\lib\ssl.py", line 1040, in _create
self.do_handshake()
File "C:\dev\Python\Python39\lib\ssl.py", line 1309, in do_handshake
self._sslobj.do_handshake()
ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: certificate has expired (_ssl.c:1129)
Note: On Ubuntu 20.04 the above snippet still works out of the box, it was just Windows that caused trouble.
For Windows using certifi solved my problem.
>>> import certifi
>>> import urllib3
>>> http = urllib3.PoolManager(cert_reqs="CERT_REQUIRED", ca_certs=certifi.where())
>>> ret = http.request("GET", "https://community.letsencrypt.org")
>>> ret.status
200
Hi @mpapenbr, welcome to the LE community forum
[and thank you for bringing the information of that problem and your solution to it into this forum]
Thank you so much everyone.
Using snap to run a newer version of certbot, and telling it to use --preferred-chain "ISRG Root X1" worked like a charm. Now my phone is back to happily running DOT through Stunnel.
The preferred chain option was automatically added to /etc/letsencrypt/renewal/MyServer.conf as:
preferred_chain = ISRG Root X1
So on next renewal it will not break the chain.
So then what did you do after getting rid of ca x3, recreate the certificate?
Wayne Sallee
I got:
update-ca-certificates
/usr/share/ca-certificates/mozilla/DST_Root_CA_X3.crt not found, but listed in /etc/ca-certificates.conf.
So in /etc/ca-certificates.conf I changed
mozilla/DST_Root_CA_X3.crt
to
!mozilla/DST_Root_CA_X3.crt
Then re-ran
update-ca-certificates
The fact that my server is still running debian 9 is playing into the problem. Time to upgrade.
Wayne Sallee
My /etc/ca-certificates.conf is dated 25th September and the mozilla/DST_Root_CA_X3.crt entry already was commented out with a '!'.
However, it is also listed in /snap/core18/2128/etc/ca-certificates.conf and I've already found that trying to change that results in it being marked 'broken'.
If it can help anyone, the problem of wrong chain response for asp.net application in my case resolved deleting certificates cache, on linux machine /home/username/.dotnet/corefx/cryptography/x509stores/ca
and restarting application
A post was split to a new topic: Nginx with preferred-chain "ISRG Root X1" - still showing "DST Root CA X3"