Help thread for DST Root CA X3 expiration (September 2021)

A post was split to a new topic: AWS Lamba Ruby Runtime DST Root CA X3 Expired

2 posts were split to a new topic: Fixing validation on ubuntu 20.04 from my Xamarin app using restsharp

A post was merged into an existing topic: Fixing validation from CentOS instances

A post was split to a new topic: Gitlab - server certificate verification failed

21 posts were split to a new topic: Adding ISRG Root X1 on Windows

2 posts were split to a new topic: Debian8 impact question

10 posts were split to a new topic: Problem getting certificate re-issued; cPanel AutoSSL and rate limit

A post was split to a new topic: OS X 10.11 clients not connecting to site with Let's Encrypt certificates

A post was split to a new topic: Certbot 1.12+ which supports --preferred-chain in OS packages

2 posts were merged into an existing topic: Amazon AMIs failing to connect to backends; modifying ca-bundle

3 posts were split to a new topic: Users of older Android and Windows 7 not able to access website

A post was split to a new topic: 502 Bad Gateway using commertools

A post was split to a new topic: --preferred-chain not taking effect

10 posts were split to a new topic: MacOS keychain issue

2 posts were merged into an existing topic: Certificates are not trusted on Chrome and Safari on old iMac with El Capitan

A post was merged into an existing topic: Ubuntu Android problem

If you have any questions about whether you need to do anything special for the upcoming DST Root CA X3 expiration in September 2021, please post them here. A staff member may split out some conversations into their own threads.

Note: Your first step in debugging should be to update your operating system. Most problems are solved by running the latest operating system available for your machine, and staying up to date will also make you more secure.

Update 30 September 2021

Yesterday, the R3 signed by DST Root CA X3 intermediate expired as planned. If you experience problems related to certificate chaining you should first review your configuration and make sure your server/website/device is sending the correct chain with the updated R3 intermediate signed by ISRG Root X1. It is unlikely that you need to force renewal to resolve issues related to R3 signed by DST Root CA X3 expiring. This thread and many more on the community offer advice to review and resolve this problem.

Earlier today, the DST Root CA X3 expired as planned. Most problems related to DST Root CA X3 expiring will not be solved by force renewal. Please search the forum and this this thread for help to resolve the problems you are experiencing before opening a new thread.

12 Likes

Hello Lets Encrypt.
My question is about Zimbra. After install or renew a cert, Zimbra asks to insert to chain.pem the IdenTrust root Certificate also. Otherwise will not deploy it.
The instructions are here: Installing a LetsEncrypt SSL Certificate - Zimbra :: Tech Center

What will happen after 11/21? Will Zimbra recognize Letsencrypt CA?

Thank you in advance.

2 Likes