Help thread for DST Root CA X3 expiration (September 2021)

Yes, that is included intentionally to give some extended support for older Android devices.
As all other, newer systems, will short-circuit the trust path verification as soon as they reach a trusted root ("ISRG Root X1"), this does no harm to them.

3 Likes

Thank you so much!

Dominique

1 Like

Sorry... I'm all out of likes :frowning:
Consider your post liked :heart:
image

6 Likes

Thanks, turns out our proxies were caching the old cert, had to delete it from the proxies and clear the cache, fun times :slight_smile:

2 Likes

Aah!
Yes, a whole other layer of potential problems - LOL

2 Likes

Hi. Mac OS 11.5.2. Cannot work after dst root ca x3 expiration. We have this cert only on our dev services. Maybe u have any tips for mac os to ignore expiration?

1 Like

Try updating the chain / providing a (more) complete chain.
Which files are you using?

2 Likes

hmm, I still have the problem that some clients cannot connect to our server.
I see in the client debug-log:
"The issuer certificate of a locally looked up certificate could not be found"
host: nucloud.nucleus-server.com

I ran a check on https://whatsmychaincert.com/ but it looks ok.

1 Like

Is anybody else seeing "SSL Error: Certificate has expired" in Postman? We're running Windows Server, so I followed webprofusion's tutorial and I believe we're serving the correct chain.

Although as of the other day https://chainchecker.certifytheweb.com/ showed that we were using the legacy chain, and as of today it's showing that we're using the modern chain, but the openssl output hasn't changed, so now I'm not sure whether I have everything setup correctly or not...

$ openssl s_client -connect api.mcmasterpoppk.org:443 -servername api.mcmasterpoppk.org
CONNECTED(00000204)
---
Certificate chain
 0 s:/CN=api.mcmasterpoppk.org
   i:/C=US/O=Let's Encrypt/CN=R3
 1 s:/C=US/O=Let's Encrypt/CN=R3
   i:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
 2 s:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3

Based on previous messages, I believe that's the expected output for the legacy chain?

Thanks,
Rick

3 Likes

The certificate chain fails for SOME computers with Invalid Date.

In my customer's computer I see this:
Screenshot 2021-09-30 124642

In my own computer I see this other certification path with all correct: ISRT Root X1 -> R3 -> www.remotes.com.uy

I already checked the computer's clock, renewed everything, checked it's using the fullchain.pem and restarted nginx
What else can I do?
I need to solve this ASAP! My customer can't connect to the website

1 Like


Hello,

I have a Mac and I am wondering how I can possibly update the expired DST Root CA X3 certificate to the ISRG Root X1 as I basically can't access anything on Internet due to the expiration of the certificate. I have tried to go through the KeyChain Access to do it but I don't really know how to.

Sorry for the trouble and thank you for your help!

1 Like

"The issuer certificate of a locally looked up certificate could not be found"
It it possible that these clients don't have the new root-ca installed on their systems?

1 Like

Have them clear the cache - restart browser.
If still fails, is your server behind a load-balancer or proxy?

3 Likes

Starting today, we started having issues on Ubuntu16 & ubuntu18.
What should we do?

1 Like

For anyone using caddy server, I needed the following global directive to force the correct chain:

{
  ...

  preferred_chains {
    root_common_name "ISRG Root X1"
  }
}

This fixed our cert issues in Electron.

4 Likes

I get something totally different:

openssl s_client -connect ishanjain.me:443 -servername ishanjain.me
CONNECTED(00000194)
depth=1 C = US, O = "Cloudflare, Inc.", CN = Cloudflare Inc ECC CA-3
verify error:num=20:unable to get local issuer certificate
Server did acknowledge servername extension.
---
Certificate chain
 0 s:/C=US/ST=California/L=San Francisco/O=Cloudflare, Inc./CN=sni.cloudflaressl.com
   i:/C=US/O=Cloudflare, Inc./CN=Cloudflare Inc ECC CA-3
 1 s:/C=US/O=Cloudflare, Inc./CN=Cloudflare Inc ECC CA-3
   i:/C=IE/O=Baltimore/OU=CyberTrust/CN=Baltimore CyberTrust Root
---
2 Likes

The upgrade to the latest win-acme client, and then a forced renewal of the certificates is what my team ended up doing to get this back up... there was a bug in the win-acme client that was fixed in version v2.1.19 last week - Let's Encrypt change on September 30 (DST Root CA X3) · Issue #1843 · win-acme/win-acme · GitHub

3 Likes

Already done that, no change even different browser. Tried all incognito, different browser, restart computer etc

1 Like

MacOS Big Sur version 11.3 say root certificate was expire. And I check the root certificate in Chrome, DST certificate was removed and ISRG certificate is exist. Can anyone help me!

1 Like

So is there a load-balancer or proxy involved?

2 Likes