Help thread for DST Root CA X3 expiration (September 2021)

rg305 · October 12, 2021, 11:11pm

LE has zero control over messages shown by Chrome.

mmncs · October 12, 2021, 11:14pm

I'm not sure what you mean by the two remaining paths and it would still have been nice with a bit of warning instead of saying that there would be no issues at all with browsers.

Could they have waited?

mmncs · October 12, 2021, 11:40pm

Well thank you for you help.

rg305 · October 13, 2021, 12:53am

No.
The root expired and that can't be postponed.

There are currently two remaining "valid" trust paths:

the longer chain (via "DST Root CA X3 (expired)"
good for old Android devices
the shorter chain (via "ISRG Root X1")
good for devices that have that "newer" root installed ("trusted")

kongian85 · October 13, 2021, 5:21pm

Hello to all,

I need your help with a client of ours. her web system works on any computer we have apart of hers.

She has a mac 2014 , and she is getting certificate error when in all other devices is opening with no problems.

DST Root CA X3 ( Expired )

How can I update the root on that laptop as it affects the ISRG Root X1 which is below this.

I wish I could put a screenshot here to see it.

She is running mac os 10.11 ...

Thank you in advance,

Nummer378 · October 13, 2021, 5:46pm

If someone who has access to that system is comfortable with using a command line, this may be the "quick fix":

Otherwise, there are more manual (but graphical) instructions here:

(The reason why you're seeing this error in the first place is because ISRG Root X1 is only included in macOS 10.12.1 or newer, but that system is slightly older than the cutoff. Your other systems probably are all running a newer version of macOS, so they don't have these issues. You could also try updating the affected system to a more recent macOS, instead of the above)

erglazier · October 14, 2021, 3:17am

@stiobhan , I too am getting the exact same thing on our Centos 7 FreeIPA when running ipa-server-certinstall. I've been trying every which way to get the DST CA out of /etc/ssl/certs and/or /etc/ipa/ca.crt. Are you still stuck with this issue?

rg305 · October 14, 2021, 3:34am

@erglazier
Have you tried (using a bigger hammer!)?

vi /etc/ssl/certs/ca-bundle.crt
vi /etc/ssl/certs/ca-bundle.trust.crt

stiobhan · October 14, 2021, 6:18am

@erglazier
I managed to solve it with some help on the FreeIPA mailing list. Have a look here

[Freeipa-users] Re: FreeIPA letsencrypt certificate problems after recent expiration of DST Root CA X3 - FreeIPA-users - Fedora Mailing-Lists

I had the additional problem on one of our servers that the certificate itself had already expired. If yours is still valid you probably won't have to dig as deep as I did. Just make sure you replace the cross-signed X1 root cert with the self-signed one. If you have further questions I can help you over on the freeipa-users list.

rg305 · October 14, 2021, 6:25am

@stiobhan
I'm a bit lost...
Where did you find the cross-signed X1 to remove?

stiobhan · October 14, 2021, 7:37am

FreeIPA keeps this in a nss database

# certutil -L -d /etc/dirsrv/slapd-REALM

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

CN=MY_HOSTNAME                                               u,u,u
CN=R3,O=Let's Encrypt,C=US                                   C,,  
CN=ISRG Root X1,O=Internet Security Research Group,C=US      C,,

and then also a file /etc/ipa/ca.crt. I removed both the expired X3 and the cross-signed X1, and then put the self-signed X1 in.

My1 · October 14, 2021, 8:51am

super weird issue here with an univention server , we cannot renew certs for some reason because apprently curl while getting the correct R3 from the server doesnt seem to chain it down to ISRG however in /etc/ssl/certs it's definitely present and wget doesnt seem to have issues. curl basically just says that the certificate expired when trying to curl the acme v2 api endpoint.

root@server:/# curl -v https://acme-v02.api.letsencrypt.org/directory
*   Trying 172.65.32.248...
* TCP_NODELAY set
* Connected to acme-v02.api.letsencrypt.org (172.65.32.248) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (OUT), TLS alert, Server hello (2):
* SSL certificate problem: certificate has expired
* Curl_http_done: called premature == 1
* stopped the pause stream!
* Closing connection 0
curl: (60) SSL certificate problem: certificate has expired
More details here: https://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). If the default
 bundle file isn't adequate, you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.

rg305 · October 14, 2021, 11:56am

Can you confirm that those locations have the self-signed "ISRG Root X1" cert?
grep MIIFazCCA1OgAwIBAgIRAIIQz /etc/ssl/certs/ca-certificates.crt
grep MIIFazCCA1OgAwIBAgIRAIIQz /etc/ssl/certs/ISRG_Root_X1.pem

My1 · October 14, 2021, 2:07pm

yup it's in both.

erglazier · October 14, 2021, 3:39pm

Yesterday I did end up just manually editing the /etc/ipa/ca.crt and the /etc/letsencrypt/archive full chain files- removing the DST chunk from both. I was able to get things working after that but it's hacky and I'm not sure it will persist. I intend to do more testing today. And that probably means removing it from the source, as you mention.

erglazier · October 14, 2021, 4:01pm

Thank you, I will take a look at that link you sent

coronin · October 17, 2021, 10:37pm

For ubuntu 10.04 lucid

put http://curl.haxx.se/ca/cacert.pem into /usr/share/ca-certificates/
add a line cacert.pem into /etc/ca-certificates.conf
sudo update-ca-certificates

download the latest openssl and curl (configure with --with-openssl) make and install

==> fixed my problem

amandadukor · October 18, 2021, 3:08am

Good morning
Please people are having issues connecting to my website

I don't understand why. It is working on some other devices.

amandadukor · October 18, 2021, 3:09am

Good morning
Please people are having issues connecting to my website. There seems to be a connection issue. A problem with my ssl certificate. But i installation my certificate properly.

I don't understand why. It is working on some other devices.

rg305 · October 18, 2021, 3:39am

Hi @amandadukor and welcome to the LE community forum

I think you may need to review (and update) whatever installation instructions you followed.
The site is serving a chain that has expired and hasn't been provided by LE since May 2021.

echo | openssl s_client -connect amandadukor.com:443 -servername amandadukor.com | head
depth=1 C = US, O = Let's Encrypt, CN = R3
verify error:num=20:unable to get local issuer certificate
DONE
CONNECTED(00000005)
---
Certificate chain
 0 s:CN = amandadukor.com
   i:C = US, O = Let's Encrypt, CN = R3
 1 s:C = US, O = Let's Encrypt, CN = R3
   i:O = Digital Signature Trust Co., CN = DST Root CA X3
---