Help thread for DST Root CA X3 expiration (September 2021)

rg305 · December 9, 2021, 7:35pm

Yes; One way is to switch to another (free and ACME friendly) CA.

apr · December 9, 2021, 7:51pm

No way to get it to work with letsencrypt?
I cant go to other CA cuz i have lots of domains. The other CAs free plans are too limited.

I really need to choose between my APIs working or support for older android versions?

Osiris · December 9, 2021, 8:17pm

curl should be able to work with the longer chain, depending on software versions used.

apr · December 9, 2021, 8:29pm

Ok thats good.

Which softwares / versions we're talking? Can you point me a way to check that?

They say openssl must be over 1.1. When i run openssl version i get:

OpenSSL 1.1.0h 27 Mar 2018

lsb_realease prints out:

No LSB modules are available.
Distributor ID:	Ubuntu
Description:	Ubuntu 16.04.7 LTS
Release:	16.04
Codename:	xenial

Anything else i need to check?

rg305 · December 9, 2021, 8:47pm

Please show:
apt list | grep installed | grep cert

You should see:

ca-certificates/xenial-updates,xenial-updates,xenial-security,xenial-security,now 20210119~16.04.1 all [installed]

apr · December 9, 2021, 8:49pm

ca-certificates/xenial-updates,xenial-security,now 20210119~16.04.1 all [installed]
python-pkg-resources/xenial,now 33.1.1-1+certbot~xenial+1 all [installed,automatic]
python3-acme/xenial,now 0.31.0-2+ubuntu16.04.6+certbot+2 all [installed,auto-removable]
python3-asn1crypto/xenial,now 0.22.0-2+ubuntu16.04.1+certbot+1 all [installed,automatic]
python3-augeas/xenial,now 0.5.0-1+ubuntu16.04.1+certbot+1 all [installed,auto-removable]
python3-certbot/xenial,now 0.31.0-2~deb10u1+ubuntu16.04.1+certbot+3 all [installed,auto-removable]
python3-certifi/xenial,now 2017.4.17-2+ubuntu16.04.1+certbot+1 all [installed,auto-removable]
python3-cffi-backend/xenial,now 1.10.0-0.1+ubuntu16.04.1+certbot+1 amd64 [installed]
python3-chardet/xenial,now 3.0.4-1+ubuntu16.04.1+certbot+2 all [installed]
python3-configargparse/xenial,now 0.11.0-1+certbot~xenial+1 all [installed,auto-removable]
python3-configobj/xenial,now 5.0.6-2+ubuntu16.04.1+certbot+1 all [installed]
python3-cryptography/xenial,now 1.9-1+ubuntu16.04.1+certbot+2 amd64 [installed]
python3-future/xenial,now 0.15.2-4+ubuntu16.04.1+certbot+3 all [installed,auto-removable]
python3-idna/xenial,now 2.5-1+ubuntu16.04.1+certbot+1 all [installed]
python3-ndg-httpsclient/xenial,now 0.4.2-1+certbot~xenial+1 all [installed,auto-removable]
python3-openssl/xenial,now 17.3.0-1~0+ubuntu16.04.1+certbot+1 all [installed,automatic]
python3-parsedatetime/xenial,now 2.4-3+ubuntu16.04.1+certbot+3 all [installed,auto-removable]
python3-pkg-resources/xenial,now 33.1.1-1+certbot~xenial+1 all [installed]
python3-pyasn1/xenial,now 0.1.9-2+certbot~xenial+1 all [installed]
python3-requests/xenial,now 2.18.1-1+ubuntu16.04.1+certbot+1 all [installed,auto-removable]
python3-requests-toolbelt/xenial,now 0.8.0-1+ubuntu16.04.1+certbot+1 all [installed,auto-removable]
python3-rfc3339/xenial,now 1.0-4+certbot~xenial+1 all [installed,auto-removable]
python3-six/xenial,now 1.11.0-1+ubuntu16.04.1+certbot+1 all [installed]
python3-urllib3/xenial,now 1.21.1-1+ubuntu16.04.1+certbot+1 all [installed]
python3-zope.component/xenial,now 4.3.0-1+ubuntu16.04.1+certbot+3 all [installed,auto-removable]
python3-zope.hookable/xenial,now 4.0.4-4+ubuntu16.04.1+certbot+1 amd64 [installed,auto-removable]
python3-zope.interface/xenial,now 4.3.2-1+ubuntu16.04.1+certbot+1 amd64 [installed,auto-removable]
ssl-cert/xenial,now 1.0.37 all [installed,automatic]

rg305 · December 9, 2021, 8:51pm

Well, that looks right.

rg305 · December 9, 2021, 8:56pm

Please show the outputs of:
ls -l /etc/ssl/certs/* | grep -Ei 'R3|DST|ISRG'
and
apt update
and
apt install curl

apr · December 9, 2021, 9:54pm

lrwxrwxrwx 1 root root     27 Out  1 22:15 /etc/ssl/certs/062cdee6.0 -> GlobalSign_Root_CA_-_R3.pem
lrwxrwxrwx 1 root root     15 Out  1 22:15 /etc/ssl/certs/0a775a30.0 -> GTS_Root_R3.pem
lrwxrwxrwx 1 root root     27 Out  1 22:15 /etc/ssl/certs/1e8e7201.0 -> GlobalSign_Root_CA_-_R3.pem
lrwxrwxrwx 1 root root     16 Out  1 22:15 /etc/ssl/certs/4042bcee.0 -> ISRG_Root_X1.pem
lrwxrwxrwx 1 root root     16 Out  1 22:15 /etc/ssl/certs/6187b673.0 -> ISRG_Root_X1.pem
lrwxrwxrwx 1 root root     15 Out  1 22:15 /etc/ssl/certs/6b03dec0.0 -> GTS_Root_R3.pem
lrwxrwxrwx 1 root root     62 Out  1 20:30 /etc/ssl/certs/GlobalSign_Root_CA_-_R3.pem -> /usr/share/ca-certificates/mozilla/GlobalSign_Root_CA_-_R3.crt
lrwxrwxrwx 1 root root     50 Out  1 20:30 /etc/ssl/certs/GTS_Root_R3.pem -> /usr/share/ca-certificates/mozilla/GTS_Root_R3.crt
lrwxrwxrwx 1 root root     51 Out  1 20:30 /etc/ssl/certs/ISRG_Root_X1.pem -> /usr/share/ca-certificates/mozilla/ISRG_Root_X1.crt

Hit:1 http://mirrors.digitalocean.com/ubuntu xenial InRelease
Get:2 http://security.ubuntu.com/ubuntu xenial-security InRelease [109 kB]                    
Hit:3 http://ppa.launchpad.net/certbot/certbot/ubuntu xenial InRelease                                   
Get:4 http://mirrors.digitalocean.com/ubuntu xenial-updates InRelease [109 kB]                                                      
Hit:5 http://ppa.launchpad.net/ondrej/apache2/ubuntu xenial InRelease                                                                          
Get:6 http://mirrors.digitalocean.com/ubuntu xenial-backports InRelease [107 kB]                                                    
Hit:7 https://repos.insights.digitalocean.com/apt/do-agent main InRelease                                                                      
Hit:8 http://ppa.launchpad.net/ondrej/php/ubuntu xenial InRelease
Get:9 https://deb.nodesource.com/node_9.x xenial InRelease [4.622 B]
Get:10 http://mirrors.digitalocean.com/ubuntu xenial-updates/main Sources [537 kB]
Get:11 http://mirrors.digitalocean.com/ubuntu xenial-updates/main amd64 Packages [2.049 kB]
Fetched 2.916 kB in 1s (1.928 kB/s)                                                  
Reading package lists... Done
Building dependency tree       
Reading state information... Done
152 packages can be upgraded. Run 'apt list --upgradable' to see them.

E: dpkg was interrupted, you must manually run 'sudo dpkg --configure -a' to correct the problem.

rg305 · December 9, 2021, 9:58pm

Wow!

Let's have a look at that:
apt list --upgradable

apr · December 9, 2021, 10:09pm

Well, thats quite a big list.

I'm aware theres a lot of things to update, but i'm afraid to break something when i do it, since i was not responsible for this droplet initial setup.

Heres the list:

apt/xenial-updates 1.2.35 amd64 [upgradable from: 1.2.32ubuntu0.2]
apt-transport-https/xenial-updates 1.2.35 amd64 [upgradable from: 1.2.32ubuntu0.2]
apt-utils/xenial-updates 1.2.35 amd64 [upgradable from: 1.2.32ubuntu0.2]
bind9-host/xenial-updates,xenial-security 1:9.10.3.dfsg.P4-8ubuntu1.19 amd64 [upgradable from: 1:9.10.3.dfsg.P4-8ubuntu1.17]
bsdutils/xenial-updates 1:2.27.1-6ubuntu3.10 amd64 [upgradable from: 1:2.27.1-6ubuntu3.4]
btrfs-tools/xenial-updates 4.4-1ubuntu1.1 amd64 [upgradable from: 4.4-1ubuntu1]
cloud-guest-utils/xenial-updates 0.27-0ubuntu25.2 all [upgradable from: 0.27-0ubuntu25.1]
cloud-initramfs-copymods/xenial-updates 0.27ubuntu1.6 all [upgradable from: 0.27ubuntu1.5]
cloud-initramfs-dyn-netconf/xenial-updates 0.27ubuntu1.6 all [upgradable from: 0.27ubuntu1.5]
console-setup/xenial-updates 1.108ubuntu15.5 all [upgradable from: 1.108ubuntu15.3]
console-setup-linux/xenial-updates 1.108ubuntu15.5 all [upgradable from: 1.108ubuntu15.3]
curl/xenial-updates,xenial-security 7.47.0-1ubuntu2.19 amd64 [upgradable from: 7.47.0-1ubuntu2.18]
debconf/xenial-updates 1.5.58ubuntu2 all [upgradable from: 1.5.58ubuntu1]
debconf-i18n/xenial-updates 1.5.58ubuntu2 all [upgradable from: 1.5.58ubuntu1]
distro-info-data/xenial-updates,xenial-security 0.28ubuntu0.18 all [upgradable from: 0.28ubuntu0.16]
dmidecode/xenial-updates 3.0-2ubuntu0.2 amd64 [upgradable from: 3.0-2ubuntu0.1]
dnsmasq-base/xenial-updates,xenial-security 2.75-1ubuntu0.16.04.10 amd64 [upgradable from: 2.75-1ubuntu0.16.04.7]
dnsutils/xenial-updates,xenial-security 1:9.10.3.dfsg.P4-8ubuntu1.19 amd64 [upgradable from: 1:9.10.3.dfsg.P4-8ubuntu1.17]
do-agent/main 3.12.0 amd64 [upgradable from: 3.9.0]
dpkg/xenial-updates 1.18.4ubuntu1.7 amd64 [upgradable from: 1.18.4ubuntu1.4]
dpkg-dev/xenial-updates 1.18.4ubuntu1.7 all [upgradable from: 1.18.4ubuntu1.4]
friendly-recovery/xenial-updates 0.2.31ubuntu2.1 all [upgradable from: 0.2.31ubuntu1]
git/xenial-updates,xenial-security 1:2.7.4-0ubuntu1.10 amd64 [upgradable from: 1:2.7.4-0ubuntu1.9]
git-man/xenial-updates,xenial-security 1:2.7.4-0ubuntu1.10 all [upgradable from: 1:2.7.4-0ubuntu1.9]
grub-common/xenial-updates 2.02~beta2-36ubuntu3.32 amd64 [upgradable from: 2.02~beta2-36ubuntu3.27]
grub-efi-amd64/xenial-updates 2.04-1ubuntu44.1.2 amd64 [upgradable from: 2.02~beta2-36ubuntu3.27]
grub-efi-amd64-bin/xenial-updates 2.04-1ubuntu44.1.2 amd64 [upgradable from: 2.02~beta2-36ubuntu3.27]
grub-efi-amd64-signed/xenial-updates 1.167~16.04.6+2.04-1ubuntu44.1.2 amd64 [upgradable from: 1.66.27+2.02~beta2-36ubuntu3.27]
grub-legacy-ec2/xenial-updates 21.1-19-gbad84ad4-0ubuntu1~16.04.2 all [upgradable from: 18.2-4-g05926e48-0ubuntu1~16.04.2]
grub-pc-bin/xenial-updates 2.02~beta2-36ubuntu3.32 amd64 [upgradable from: 2.02~beta2-36ubuntu3.27]
grub2-common/xenial-updates 2.02~beta2-36ubuntu3.32 amd64 [upgradable from: 2.02~beta2-36ubuntu3.27]
guile-2.0-libs/xenial-updates 2.0.11+1-10ubuntu0.1 amd64 [upgradable from: 2.0.11+1-10]
ifupdown/xenial-updates 0.8.10ubuntu1.4 amd64 [upgradable from: 0.8.10ubuntu1.3]
initramfs-tools/xenial-updates 0.122ubuntu8.17 all [upgradable from: 0.122ubuntu8.14]
initramfs-tools-bin/xenial-updates 0.122ubuntu8.17 amd64 [upgradable from: 0.122ubuntu8.14]
initramfs-tools-core/xenial-updates 0.122ubuntu8.17 all [upgradable from: 0.122ubuntu8.14]
iproute2/xenial-updates 4.3.0-1ubuntu3.16.04.5 amd64 [upgradable from: 4.3.0-1ubuntu3.16.04.3]
keyboard-configuration/xenial-updates 1.108ubuntu15.5 all [upgradable from: 1.108ubuntu15.3]
kmod/xenial-updates 22-1ubuntu5.2 amd64 [upgradable from: 22-1ubuntu5]
libapt-inst2.0/xenial-updates 1.2.35 amd64 [upgradable from: 1.2.32ubuntu0.2]
libapt-pkg5.0/xenial-updates 1.2.35 amd64 [upgradable from: 1.2.32ubuntu0.2]
libbind9-140/xenial-updates,xenial-security 1:9.10.3.dfsg.P4-8ubuntu1.19 amd64 [upgradable from: 1:9.10.3.dfsg.P4-8ubuntu1.17]
libblkid1/xenial-updates 2.27.1-6ubuntu3.10 amd64 [upgradable from: 2.27.1-6ubuntu3.4]
libc-bin/xenial-updates,xenial-security 2.23-0ubuntu11.3 amd64 [upgradable from: 2.23-0ubuntu11.2]
libc-dev-bin/xenial-updates,xenial-security 2.23-0ubuntu11.3 amd64 [upgradable from: 2.23-0ubuntu11.2]
libc6/xenial-updates,xenial-security 2.23-0ubuntu11.3 amd64 [upgradable from: 2.23-0ubuntu11.2]
libc6-dev/xenial-updates,xenial-security 2.23-0ubuntu11.3 amd64 [upgradable from: 2.23-0ubuntu11.2]
libcurl3/xenial-updates,xenial-security 7.47.0-1ubuntu2.19 amd64 [upgradable from: 7.47.0-1ubuntu2.18]
libcurl3-gnutls/xenial-updates,xenial-security 7.47.0-1ubuntu2.19 amd64 [upgradable from: 7.47.0-1ubuntu2.18]
libdns-export162/xenial-updates,xenial-security 1:9.10.3.dfsg.P4-8ubuntu1.19 amd64 [upgradable from: 1:9.10.3.dfsg.P4-8ubuntu1.17]
libdns162/xenial-updates,xenial-security 1:9.10.3.dfsg.P4-8ubuntu1.19 amd64 [upgradable from: 1:9.10.3.dfsg.P4-8ubuntu1.17]
libdpkg-perl/xenial-updates 1.18.4ubuntu1.7 all [upgradable from: 1.18.4ubuntu1.4]
libdrm-common/xenial-updates 2.4.91-2~16.04.1 all [upgradable from: 2.4.83-1~16.04.1]
libdrm2/xenial-updates 2.4.91-2~16.04.1 amd64 [upgradable from: 2.4.83-1~16.04.1]
libfdisk1/xenial-updates 2.27.1-6ubuntu3.10 amd64 [upgradable from: 2.27.1-6ubuntu3.4]
libglib2.0-0/xenial-updates,xenial-security 2.48.2-0ubuntu4.8 amd64 [upgradable from: 2.48.2-0ubuntu4.6]
libglib2.0-data/xenial-updates,xenial-security 2.48.2-0ubuntu4.8 all [upgradable from: 2.48.2-0ubuntu4.6]
libhogweed4/xenial-updates,xenial-security 3.2-1ubuntu0.16.04.2 amd64 [upgradable from: 3.2-1ubuntu0.16.04.1]
libisc-export160/xenial-updates,xenial-security 1:9.10.3.dfsg.P4-8ubuntu1.19 amd64 [upgradable from: 1:9.10.3.dfsg.P4-8ubuntu1.17]
libisc160/xenial-updates,xenial-security 1:9.10.3.dfsg.P4-8ubuntu1.19 amd64 [upgradable from: 1:9.10.3.dfsg.P4-8ubuntu1.17]
libisccc140/xenial-updates,xenial-security 1:9.10.3.dfsg.P4-8ubuntu1.19 amd64 [upgradable from: 1:9.10.3.dfsg.P4-8ubuntu1.17]
libisccfg140/xenial-updates,xenial-security 1:9.10.3.dfsg.P4-8ubuntu1.19 amd64 [upgradable from: 1:9.10.3.dfsg.P4-8ubuntu1.17]
libjs-sphinxdoc/xenial-updates 1.3.6-2ubuntu1.2 all [upgradable from: 1.3.6-2ubuntu1.1]
libjs-underscore/xenial-updates,xenial-security 1.7.0~dfsg-1ubuntu1.1 all [upgradable from: 1.7.0~dfsg-1ubuntu1]
libkmod2/xenial-updates 22-1ubuntu5.2 amd64 [upgradable from: 22-1ubuntu5]
libldap-2.4-2/xenial-updates,xenial-security 2.4.42+dfsg-2ubuntu3.13 amd64 [upgradable from: 2.4.42+dfsg-2ubuntu3.12]
liblwres141/xenial-updates,xenial-security 1:9.10.3.dfsg.P4-8ubuntu1.19 amd64 [upgradable from: 1:9.10.3.dfsg.P4-8ubuntu1.17]
liblxc1/xenial-updates 2.0.11-0ubuntu1~16.04.3 amd64 [upgradable from: 2.0.8-0ubuntu1~16.04.2]
libmount1/xenial-updates 2.27.1-6ubuntu3.10 amd64 [upgradable from: 2.27.1-6ubuntu3.4]
libnettle6/xenial-updates,xenial-security 3.2-1ubuntu0.16.04.2 amd64 [upgradable from: 3.2-1ubuntu0.16.04.1]
libpam-modules/xenial-updates 1.1.8-3.2ubuntu2.3 amd64 [upgradable from: 1.1.8-3.2ubuntu2.1]
libpam-modules-bin/xenial-updates 1.1.8-3.2ubuntu2.3 amd64 [upgradable from: 1.1.8-3.2ubuntu2.1]
libpam-runtime/xenial-updates 1.1.8-3.2ubuntu2.3 all [upgradable from: 1.1.8-3.2ubuntu2.1]
libpam-systemd/xenial-updates 229-4ubuntu21.31 amd64 [upgradable from: 229-4ubuntu21.27]
libpam0g/xenial-updates 1.1.8-3.2ubuntu2.3 amd64 [upgradable from: 1.1.8-3.2ubuntu2.1]
libpci3/xenial-updates 1:3.3.1-1.1ubuntu1.3 amd64 [upgradable from: 1:3.3.1-1.1ubuntu1.2]
libplymouth4/xenial-updates 0.9.2-3ubuntu13.5 amd64 [upgradable from: 0.9.2-3ubuntu13.4]
libprocps4/xenial-updates 2:3.3.10-4ubuntu2.5 amd64 [upgradable from: 2:3.3.10-4ubuntu2.4]
libpython2.7/xenial-updates,xenial-security 2.7.12-1ubuntu0~16.04.18 amd64 [upgradable from: 2.7.12-1ubuntu0~16.04.13]
libpython2.7-minimal/xenial-updates,xenial-security 2.7.12-1ubuntu0~16.04.18 amd64 [upgradable from: 2.7.12-1ubuntu0~16.04.13]
libpython2.7-stdlib/xenial-updates,xenial-security 2.7.12-1ubuntu0~16.04.18 amd64 [upgradable from: 2.7.12-1ubuntu0~16.04.13]
libpython3.5/xenial-updates,xenial-security 3.5.2-2ubuntu0~16.04.13 amd64 [upgradable from: 3.5.2-2ubuntu0~16.04.12]
libpython3.5-minimal/xenial-updates,xenial-security 3.5.2-2ubuntu0~16.04.13 amd64 [upgradable from: 3.5.2-2ubuntu0~16.04.12]
libpython3.5-stdlib/xenial-updates,xenial-security 3.5.2-2ubuntu0~16.04.13 amd64 [upgradable from: 3.5.2-2ubuntu0~16.04.12]
libseccomp2/xenial-updates 2.5.1-1ubuntu1~16.04.1 amd64 [upgradable from: 2.4.3-1ubuntu3.16.04.3]
libslang2/xenial-updates 2.3.0-2ubuntu1.1 amd64 [upgradable from: 2.3.0-2ubuntu1]
libsmartcols1/xenial-updates 2.27.1-6ubuntu3.10 amd64 [upgradable from: 2.27.1-6ubuntu3.4]
libssl1.0.0/xenial-updates,xenial-security 1.0.2g-1ubuntu4.20 amd64 [upgradable from: 1.0.2g-1ubuntu4.18]
libsystemd0/xenial-updates 229-4ubuntu21.31 amd64 [upgradable from: 229-4ubuntu21.27]
libtiff5/xenial-updates,xenial-security 4.0.6-1ubuntu0.8 amd64 [upgradable from: 4.0.6-1ubuntu0.7]
libudev1/xenial-updates 229-4ubuntu21.31 amd64 [upgradable from: 229-4ubuntu21.27]
libuuid1/xenial-updates 2.27.1-6ubuntu3.10 amd64 [upgradable from: 2.27.1-6ubuntu3.4]
linux-headers-generic/xenial-updates,xenial-security 4.4.0.210.216 amd64 [upgradable from: 4.4.0.201.207]
linux-headers-virtual/xenial-updates,xenial-security 4.4.0.210.216 amd64 [upgradable from: 4.4.0.201.207]
linux-image-virtual/xenial-updates,xenial-security 4.4.0.210.216 amd64 [upgradable from: 4.4.0.201.207]
linux-libc-dev/xenial-updates,xenial-security 4.4.0-210.242 amd64 [upgradable from: 4.4.0-201.233]
linux-virtual/xenial-updates,xenial-security 4.4.0.210.216 amd64 [upgradable from: 4.4.0.201.207]
locales/xenial-updates,xenial-security 2.23-0ubuntu11.3 all [upgradable from: 2.23-0ubuntu11.2]
login/xenial-updates 1:4.2-3.1ubuntu5.4 amd64 [upgradable from: 1:4.2-3.1ubuntu5.3]
lshw/xenial-updates 02.17-1.1ubuntu3.6 amd64 [upgradable from: 02.17-1.1ubuntu3.5]
lxc-common/xenial-updates 2.0.11-0ubuntu1~16.04.3 amd64 [upgradable from: 2.0.8-0ubuntu1~16.04.2]
mokutil/xenial-updates,xenial-security 0.3.0+1538710437.fb6250f-0ubuntu2~16.04.1 amd64 [upgradable from: 0.3.0-0ubuntu3]
mount/xenial-updates 2.27.1-6ubuntu3.10 amd64 [upgradable from: 2.27.1-6ubuntu3.4]
multiarch-support/xenial-updates,xenial-security 2.23-0ubuntu11.3 amd64 [upgradable from: 2.23-0ubuntu11.2]
open-iscsi/xenial-updates 2.0.873+git0.3b4b4500-14ubuntu3.7 amd64 [upgradable from: 2.0.873+git0.3b4b4500-14ubuntu3.4]
open-vm-tools/xenial-updates 2:10.2.0-3~ubuntu0.16.04.1 amd64 [upgradable from: 2:10.0.7-3227872-5ubuntu1~16.04.2]
openssh-client/xenial-updates 1:7.2p2-4ubuntu2.10 amd64 [upgradable from: 1:7.2p2-4ubuntu2.8]
openssh-server/xenial-updates 1:7.2p2-4ubuntu2.10 amd64 [upgradable from: 1:7.2p2-4ubuntu2.8]
openssh-sftp-server/xenial-updates 1:7.2p2-4ubuntu2.10 amd64 [upgradable from: 1:7.2p2-4ubuntu2.8]
overlayroot/xenial-updates 0.27ubuntu1.6 all [upgradable from: 0.27ubuntu1.5]
passwd/xenial-updates 1:4.2-3.1ubuntu5.4 amd64 [upgradable from: 1:4.2-3.1ubuntu5.3]
pciutils/xenial-updates 1:3.3.1-1.1ubuntu1.3 amd64 [upgradable from: 1:3.3.1-1.1ubuntu1.2]
plymouth/xenial-updates 0.9.2-3ubuntu13.5 amd64 [upgradable from: 0.9.2-3ubuntu13.4]
plymouth-theme-ubuntu-text/xenial-updates 0.9.2-3ubuntu13.5 amd64 [upgradable from: 0.9.2-3ubuntu13.4]
pollinate/xenial-updates 4.33-0ubuntu1~16.04.1 all [upgradable from: 4.25-0ubuntu1~16.04.1]
postfix/xenial-updates 3.1.0-3ubuntu0.4 amd64 [upgradable from: 3.1.0-3ubuntu0.3]
procps/xenial-updates 2:3.3.10-4ubuntu2.5 amd64 [upgradable from: 2:3.3.10-4ubuntu2.4]
psmisc/xenial-updates 22.21-2.1ubuntu0.1 amd64 [upgradable from: 22.21-2.1build1]
python-apt-common/xenial-updates 1.1.0~beta1ubuntu0.16.04.12 all [upgradable from: 1.1.0~beta1ubuntu0.16.04.11]
python2.7/xenial-updates,xenial-security 2.7.12-1ubuntu0~16.04.18 amd64 [upgradable from: 2.7.12-1ubuntu0~16.04.13]
python2.7-minimal/xenial-updates,xenial-security 2.7.12-1ubuntu0~16.04.18 amd64 [upgradable from: 2.7.12-1ubuntu0~16.04.13]
python3-apt/xenial-updates 1.1.0~beta1ubuntu0.16.04.12 amd64 [upgradable from: 1.1.0~beta1ubuntu0.16.04.11]
python3-distupgrade/xenial-updates 1:16.04.32 all [upgradable from: 1:16.04.25]
python3-josepy/xenial 1.1.0-2+ubuntu16.04.1+certbot+1 all [upgradable from: 1.0.1-1+ubuntu16.04.1+certbot+7]
python3-update-manager/xenial-updates 1:16.04.17 all [upgradable from: 1:16.04.13]
python3.5/xenial-updates,xenial-security 3.5.2-2ubuntu0~16.04.13 amd64 [upgradable from: 3.5.2-2ubuntu0~16.04.12]
python3.5-minimal/xenial-updates,xenial-security 3.5.2-2ubuntu0~16.04.13 amd64 [upgradable from: 3.5.2-2ubuntu0~16.04.12]
resolvconf/xenial-updates 1.78ubuntu7 all [upgradable from: 1.78ubuntu6]
rsyslog/xenial-updates 8.16.0-1ubuntu3.1 amd64 [upgradable from: 8.16.0-1ubuntu3]
sbsigntool/xenial-updates,xenial-security 0.6-0ubuntu10.2 amd64 [upgradable from: 0.6-0ubuntu10.1]
screen/xenial-updates,xenial-security 4.3.1-2ubuntu0.1 amd64 [upgradable from: 4.3.1-2build1]
secureboot-db/xenial-updates 1.4~ubuntu0.16.04.1 amd64 [upgradable from: 1.1]
shared-mime-info/xenial-updates 1.5-2ubuntu0.2 amd64 [upgradable from: 1.5-2ubuntu0.1]
shim/xenial-updates 15.4-0ubuntu7 amd64 [upgradable from: 13-0ubuntu2]
shim-signed/xenial-updates 1.33.1~16.04.10+15.4-0ubuntu7 amd64 [upgradable from: 1.33.1~16.04.1+13-0ubuntu2]
sosreport/xenial-updates 3.9.1-1ubuntu0.16.04.2 amd64 [upgradable from: 3.5-1~ubuntu16.04.2]
squashfs-tools/xenial-updates 1:4.3-3ubuntu2.16.04.3 amd64 [upgradable from: 1:4.3-3ubuntu2.16.04.1]
systemd/xenial-updates 229-4ubuntu21.31 amd64 [upgradable from: 229-4ubuntu21.27]
systemd-sysv/xenial-updates 229-4ubuntu21.31 amd64 [upgradable from: 229-4ubuntu21.27]
ubuntu-keyring/xenial-updates 2012.05.19.1 all [upgradable from: 2012.05.19]
ubuntu-minimal/xenial-updates 1.361.6 amd64 [upgradable from: 1.361.1]
ubuntu-release-upgrader-core/xenial-updates 1:16.04.32 all [upgradable from: 1:16.04.25]
ubuntu-standard/xenial-updates 1.361.6 amd64 [upgradable from: 1.361.1]
udev/xenial-updates 229-4ubuntu21.31 amd64 [upgradable from: 229-4ubuntu21.27]
uidmap/xenial-updates 1:4.2-3.1ubuntu5.4 amd64 [upgradable from: 1:4.2-3.1ubuntu5.3]
unattended-upgrades/xenial-updates 1.1ubuntu1.18.04.7~16.04.7 all [upgradable from: 0.90ubuntu0.10]
update-manager-core/xenial-updates 1:16.04.17 all [upgradable from: 1:16.04.13]
update-notifier-common/xenial-updates 3.168.15 all [upgradable from: 3.168.8]
ureadahead/xenial-updates 0.100.0-19.1 amd64 [upgradable from: 0.100.0-19]
util-linux/xenial-updates 2.27.1-6ubuntu3.10 amd64 [upgradable from: 2.27.1-6ubuntu3.4]
uuid-runtime/xenial-updates 2.27.1-6ubuntu3.10 amd64 [upgradable from: 2.27.1-6ubuntu3.4]
vlan/xenial-updates 1.9-3.2ubuntu1.16.04.5 amd64 [upgradable from: 1.9-3.2ubuntu1.16.04.4]

Can you point any evidence responsible for curl not working with the longer chain on that list?
If so, how can i update without breaking everything up? Any tips?

rg305 · December 9, 2021, 10:15pm

I'd update:

curl/xenial-updates,xenial-security 7.47.0-1ubuntu2.19 amd64 [upgradable from: 7.47.0-1ubuntu2.18]
libcurl3/xenial-updates,xenial-security 7.47.0-1ubuntu2.19 amd64 [upgradable from: 7.47.0-1ubuntu2.18]
libcurl3-gnutls/xenial-updates,xenial-security 7.47.0-1ubuntu2.19 amd64 [upgradable from: 7.47.0-1ubuntu2.18]
libssl1.0.0/xenial-updates,xenial-security 1.0.2g-1ubuntu4.20 amd64 [upgradable from: 1.0.2g-1ubuntu4.18]

[if not all of them]

apr · December 9, 2021, 10:19pm

Ok. I'll evaluate the best way to update the critical ones without breaking anything.
I'll let you know if it works after the updates.
Thanks in advance.

HardcoreGames · December 22, 2021, 6:06am

I use ubuntu LTS and I install all updates as a routine and my portfolio of sites are all still working fine

functioneer · December 25, 2021, 6:47am

Hi All,

The issuer is still "CN = DST Root CA X3" after we did certbot --preferred-chain "ISRG Root X1".

We were having problem logging into our Dovecot Imap server. We got this message:
"sslv3 alert certificate expired: SSL alert number 45".
We found out that it was caused by the expiry of the DST Root CA X3 CA certificate and so we did this:

Ran dpkg-reconfigure ca-certificates and deselected mozilla/DST_Root_CA_X3.crt and installed mozilla/ISRG_Root_X1.crt.
Ran certbot --preferred-chain "ISRG Root X1" and selected Renew & replace the certificate

After that, we got this Dove imap-login error: "tlsv1 alert unknown ca: SSL alert".

Before we did the above steps 1 and 2, we ran openssl s_client -connect server:993 and got this:
root@server2:/# openssl s_client -connect server2.example1.com:993 -servername server2.example1.com
CONNECTED(00000003)
depth=3 O = Digital Signature Trust Co., CN = DST Root CA X3
verify error:num=10:certificate has expired
notAfter=Sep 30 14:01:15 2021 GMT

Certificate chain
0 s:/CN=server2.example1.com
i:/C=US/O=Let's Encrypt/CN=R3
1 s:/C=US/O=Let's Encrypt/CN=R3
i:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
2 s:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
i:/O=Digital Signature Trust Co./CN=DST Root CA X3

After we did the above steps 1 and 2, we got this
root@server2:/# openssl s_client -connect server2.example1.com:993 -servername server2.example1.com
CONNECTED(00000003)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify error:num=2:unable to get issuer certificate
issuer= O = Digital Signature Trust Co., CN = DST Root CA X3

Certificate chain
0 s:/CN=server2.example1.com
i:/C=US/O=Let's Encrypt/CN=R3
1 s:/C=US/O=Let's Encrypt/CN=R3
i:/C=US/O=Internet Security Research Group/CN=ISRG Root X1

The issuer is still CN = DST Root CA X3 even though the Certificate chain does not have DST Root CA X3 anymore.

We re-ran dpkg-reconfigure ca-certificates and selected mozilla/DST_Root_CA_X3.crt, and now the Dove imap-login error
is back to "sslv3 alert certificate expired".

root@server2:/# openssl s_client -connect server2.example1.com:993 -servername server2.example1.com
CONNECTED(00000003)
depth=3 O = Digital Signature Trust Co., CN = DST Root CA X3
verify error:num=10:certificate has expired
notAfter=Sep 30 14:01:15 2021 GMT

Certificate chain
0 s:/CN=server2.example1.com
i:/C=US/O=Let's Encrypt/CN=R3
1 s:/C=US/O=Let's Encrypt/CN=R3
i:/C=US/O=Internet Security Research Group/CN=ISRG Root X1

root@server2:/# openssl s_client -connect server2.example1.com:443 -servername server2.example1.com
CONNECTED(00000003)
depth=3 O = Digital Signature Trust Co., CN = DST Root CA X3
verify error:num=10:certificate has expired
notAfter=Sep 30 14:01:15 2021 GMT

We don't get any problem with our website which uses the same SSL certificate even though the openssl s_client -connect command above shows
the issuer as CN = DST Root CA X3. But in the Chrome and Edge browsers, the Certification Path only shows ISRG Root X1 as the root CA.

Thank you very much in anticipation

rg305 · December 25, 2021, 1:54pm

Hi @functioneer and welcome to the LE community forum
[and Merry Christmas (to all that celebrate that today)]

After each successful certificate renewal, all programs that were using the old cert must be restarted/reloaded so that they will use the new cert.
You must have done that with your web service (and that is now working as expected).
But you also need to do that with your email service too.

functioneer · December 26, 2021, 3:48am

Thank you for the fast reply [rg305]!

We did restart the Dovecot service (as well as postfix and Apache) and even rebooted the server but all to no avail.

As mentioned, before we did certbot with --preferred-chain "ISRG Root X1", we got the levels of Certificate Chain with DST Root CA X3 at the third level.
After doing certbot --preferred-chain "ISRG Root X1", there are now two levels in the Certificate Chain with ISRG Root X1 at the second level.
But when the issuer line of the openssl s_client -connect out still shows this:
issuer= O = Digital Signature Trust Co., CN = DST Root CA X3

Before --preferred-chain "ISRG Root X1":
root@server2:/# openssl s_client -connect server2.example1.com:993 -servername server2.example1.com
CONNECTED(00000003)
depth=3 O = Digital Signature Trust Co., CN = DST Root CA X3
verify error:num=10:certificate has expired
notAfter=Sep 30 14:01:15 2021 GMT
Certificate chain
0 s:/CN=server2.example1.com
i:/C=US/O=Let's Encrypt/CN=R3
1 s:/C=US/O=Let's Encrypt/CN=R3
i:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
2 s:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
i:/O=Digital Signature Trust Co./CN=DST Root CA X3
After we did the above steps 1 and 2, we got this

After --preferred-chain "ISRG Root X1":
root@server2:/# openssl s_client -connect server2.example1.com:993 -servername server2.example1.com
CONNECTED(00000003)
depth=3 O = Digital Signature Trust Co., CN = DST Root CA X3
verify error:num=10:certificate has expired
notAfter=Sep 30 14:01:15 2021 GMT

Certificate chain
0 s:/CN=server2.example1.com
i:/C=US/O=Let's Encrypt/CN=R3
1 s:/C=US/O=Let's Encrypt/CN=R3
i:/C=US/O=Internet Security Research Group/CN=ISRG Root X1

But mysteriously, today the issuer of the openssl s_client out is now correct ISRG Root X1.

Yesterday:
root@server2:/# openssl s_client -connect server2.example1.com:993 -servername server2.example1.com
CONNECTED(00000003)
depth=3 O = Digital Signature Trust Co., CN = DST Root CA X3
verify error:num=10:certificate has expired
notAfter=Sep 30 14:01:15 2021 GMT

Certificate chain
0 s:/CN=server2.example1.com
i:/C=US/O=Let's Encrypt/CN=R3
1 s:/C=US/O=Let's Encrypt/CN=R3
i:/C=US/O=Internet Security Research Group/CN=ISRG Root X1

root@server2:/# openssl s_client -connect server2.example1.com:443 -servername server2.example1.com
CONNECTED(00000003)
depth=3 O = Digital Signature Trust Co., CN = DST Root CA X3
verify error:num=10:certificate has expired
notAfter=Sep 30 14:01:15 2021 GMT

Certificate chain
0 s:/CN=server2.example1.com
i:/C=US/O=Let's Encrypt/CN=R3
1 s:/C=US/O=Let's Encrypt/CN=R3
i:/C=US/O=Internet Security Research Group/CN=ISRG Root X1

Today:

root@server2:/# openssl s_client -connect server2.example1.com:993 -servername server2.example1.com
CONNECTED(00000003)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = server2.example1.com
verify return:1

Certificate chain
0 s:/CN=server2.example1.com
i:/C=US/O=Let's Encrypt/CN=R3
1 s:/C=US/O=Let's Encrypt/CN=R3
i:/C=US/O=Internet Security Research Group/CN=ISRG Root X1

root@server2:/# openssl s_client -connect server2.example1.com:443 -servername server2.example1.com
CONNECTED(00000003)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = server2.example1.com
verify return:1

Certificate chain
0 s:/CN=server2.example1.com
i:/C=US/O=Let's Encrypt/CN=R3
1 s:/C=US/O=Let's Encrypt/CN=R3
i:/C=US/O=Internet Security Research Group/CN=ISRG Root X1

So everything is fine now but we don't know what happened. Maybe some caching somewhere? Thank you once again Rudy.

rg305 · April 6, 2022, 2:23pm

2 posts were split to a new topic: Problem with LE certificate

JamesLE · November 3, 2022, 7:44pm

2 posts were split to a new topic: Verifying a certificate

JamesLE · November 3, 2022, 7:44pm