Help thread for DST Root CA X3 expiration (September 2021)

mmncs · October 12, 2021, 10:10pm

Invalid certificate

Now it says that this certificate was signed by an untrusted issuer, but the chain has changed to:

ISRG Root X1
-- R3
-- mydomain.com

rg305 · October 12, 2021, 10:13pm

@mmncs
If you check the site with SSL Labs, and it shows OK there, then this new problem is within your client.
Which implies it doesn't have the latest ca-certificates (or Windows Update or Mac update or etc.)

mmncs · October 12, 2021, 10:23pm

I have tried acces on Opera and Chrome and I can see that it has removed

DST Root CA X3

But it still doesn't work on either. This is on my older mac.

Here is the overall rating:

https://www.ssllabs.com/ssltest/analyze.html?d=www.beautonart.com

Overall rating: B

Protocols
TLS 1.3 No
TLS 1.2 Yes
TLS 1.1 Yes
TLS 1.0 Yes
SSL 3 No
SSL 2 No

rg305 · October 12, 2021, 10:25pm

If it is below 10.12. you might have issues.

mmncs · October 12, 2021, 10:26pm

It is 10.9.5

Is there any way to get it working then?

rg305 · October 12, 2021, 10:38pm

Try this "fix":

mmncs · October 12, 2021, 10:51pm

Is that something I have to install on the mac?

Since I have had others who have contacted me who gets the same error and I can see that my traffic have decreased about 20% which very well could be because of this warning and I have no way to ask people who visit the site to install anything.

I have followed this issue and saw the video where they said there would be no issues with browsers and it seems that more people than you would think are using very old laptops.

rg305 · October 12, 2021, 10:55pm

If this is affecting systems outside your control...
Then I can only think of one immediate solution:

You need to switch to another entirely different chain.
Like from another (free) CA that is ACME protocol friendly.

mmncs · October 12, 2021, 10:57pm

So Lets encrypt doesnt work on older laptops?

rg305 · October 12, 2021, 11:04pm

It's not Let's Encrypt that fails to work.
It's the lack of updated trust stores (and relevant TLS libraries).

Older... yes
Really old... probably not.
[eventually such older systems will have problems with all CAs - LE was just the first to expire]

Think...
I can no longer here your radio station - on my A.M. radio.

mmncs · October 12, 2021, 11:06pm

So this is not a decision from letsencrypt?

The big problem is that people who visit the site will think it is a virus filled site...

Stealing their credit card information as it states in chrome. If it just said they have to update their system then it would be another story

rg305 · October 12, 2021, 11:08pm

The only decision LE made was which (of the two remaining paths) would it serve as the default.
[a root cert expiry is not something any choice can avoid]
And of the two trust paths, some systems (like your MacOS 10.9.5) won't like either.

rg305 · October 12, 2021, 11:10pm

Then they will get the same message from any of the other 200 million sites that use LE certs.
They will likely start to see the pattern and realize it is their systems that needs the "fix" or upgrade.

rg305 · October 12, 2021, 11:11pm

LE has zero control over messages shown by Chrome.

mmncs · October 12, 2021, 11:14pm

I'm not sure what you mean by the two remaining paths and it would still have been nice with a bit of warning instead of saying that there would be no issues at all with browsers.

Could they have waited?

mmncs · October 12, 2021, 11:40pm

Well thank you for you help.

rg305 · October 13, 2021, 12:53am

No.
The root expired and that can't be postponed.

There are currently two remaining "valid" trust paths:

the longer chain (via "DST Root CA X3 (expired)"
good for old Android devices
the shorter chain (via "ISRG Root X1")
good for devices that have that "newer" root installed ("trusted")

kongian85 · October 13, 2021, 5:21pm

Hello to all,

I need your help with a client of ours. her web system works on any computer we have apart of hers.

She has a mac 2014 , and she is getting certificate error when in all other devices is opening with no problems.

DST Root CA X3 ( Expired )

How can I update the root on that laptop as it affects the ISRG Root X1 which is below this.

I wish I could put a screenshot here to see it.

She is running mac os 10.11 ...

Thank you in advance,

Nummer378 · October 13, 2021, 5:46pm

If someone who has access to that system is comfortable with using a command line, this may be the "quick fix":

Otherwise, there are more manual (but graphical) instructions here:

(The reason why you're seeing this error in the first place is because ISRG Root X1 is only included in macOS 10.12.1 or newer, but that system is slightly older than the cutoff. Your other systems probably are all running a newer version of macOS, so they don't have these issues. You could also try updating the affected system to a more recent macOS, instead of the above)

erglazier · October 14, 2021, 3:17am

@stiobhan , I too am getting the exact same thing on our Centos 7 FreeIPA when running ipa-server-certinstall. I've been trying every which way to get the DST CA out of /etc/ssl/certs and/or /etc/ipa/ca.crt. Are you still stuck with this issue?