Help thread for DST Root CA X3 expiration (September 2021)

rg305 · September 30, 2021, 6:35pm

Stale/cached information...
The trusted root store is out of date...
It's a Thursday...
It's the last day of the month...

Lorance · September 30, 2021, 6:42pm

Is there some way of getting an X1 cert back? We've lost access to hundreds of remote clients that are using lets encrypt. All stopped communicating but will reboot in 8hrs.
If there is s way to get X1 back, even for a day or two, we could send a new firmware update to all of our customers devices.

rg305 · September 30, 2021, 6:43pm

Travel back in time...
[fool them by setting their clocks back]

ajeje989 · September 30, 2021, 6:45pm

i don't undestand for fix we need to wait ?
or we nee to edit on our webserver ?

rg305 · September 30, 2021, 6:45pm

@ajeje989
What problem are you having?

wallace.wgr · September 30, 2021, 6:47pm

Did anyone get a solution? Why do some devices insist on accessing through DST Root CA X3?

dennis2130 · September 30, 2021, 6:49pm

Are you seeing this with any particular devices? My issues are with Apple Devices. Windows machines running most browsers seems to be working fine for me.

rg305 · September 30, 2021, 6:49pm

There are several possible reasons.
The one that is probably the likeliest is that the web server is NOT sending any chain information.
Which leaves the client devices to fend for themselves - and they don't all come to the same conclusion.

seanm · September 30, 2021, 6:50pm

Thanks Phil. So I edited /usr/local/etc/letsencrypt/live/foo.example.com/fullchain.pem to remove the last entry and now I get the chain you say is correct.

What had I done wrong to have that 3rd item in there in the first place? Or is its presence normal but only problematic for some clients?

jacek-kubek · September 30, 2021, 6:50pm

I have forced renew my certificate, but there is still DST Root CA X3 in chain.

SSL Certificate Checker reports:

| Issuer         | Common name    | Organization                     | Issued       | Expires      |
|----------------|----------------|----------------------------------|--------------|--------------|
| R3             | mydomain.tld   | NA                               | Sep 30, 2021 | Dec 29, 2021 |
| ISRG Root X1   | R3             | Let's Encrypt                    | Sep 04, 2020 | Sep 15, 2025 |
| DST Root CA X3 | ISRG Root X1   | Internet Security Research Group | Jan 20, 2021 | Sep 30, 2024 |
| NA             | DST Root CA X3 | Digital Signature Trust Co.      | Sep 30, 2000 | Sep 30, 2021 |

dennis2130 · September 30, 2021, 6:52pm

@rg305

Can you use Certify the Web to include the full chain with the cert? That's what I keep seeing as the solution to my issue, but I can't find a way to do it.

rg305 · September 30, 2021, 6:52pm

Yes, problematic.

Lorance · September 30, 2021, 6:54pm

Wow, so many posts, it's impossible to keep track of anything.

Is there some way that we could add support on our server to allow for X1?
Hundreds of remote devices have stopped communicating because of this oversight but if we could support X1 temporarily, we would be able to send an update to the devices.

Intermediate file perhaps, put somewhere in the directory structure of the /etc/letsencrypt directory?

rg305 · September 30, 2021, 6:55pm

Force renew does nothing to change the chain - it only wastes a cert.
It's the same chain that has been served since May.
If you don't want that chain, then try removing it manually from the fullchain.pem file.
[it's the last one]

rg305 · September 30, 2021, 6:56pm

Do they all get their time from a known NTP server?
[hopefully one you can control]

Lorance · September 30, 2021, 7:02pm

No, NTP org and no remote access since nothing htps is working so they aren't communicating.

wallace.wgr · September 30, 2021, 7:06pm

About DST Root CA X1 having expired today, we who are facing problems with customers trying to use this chain that has expired, is there anything that can be done? Do we have to hope that everything will normalize? Is it necessary to change something in our server/api?

Cryptoman · September 30, 2021, 7:10pm

If the client didn't find a new chain on its own, I don't think doing server-side interventions will yield results. What you could try to do is update your server's chain to serve only the short chain, without the expired certificate present, but clients could still have problems if they don't update the cache.

jp1839 · September 30, 2021, 7:29pm

Ah, my chain is still appearing as:

openssl s_client -connect api.tzkt.io:443
CONNECTED(00000005)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = api.tzkt.io
verify return:1
---
Certificate chain
 0 s:CN = api.tzkt.io
   i:C = US, O = Let's Encrypt, CN = R3
 1 s:C = US, O = Let's Encrypt, CN = R3
   i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
 2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1
   i:O = Digital Signature Trust Co., CN = DST Root CA X3

Showing the DST Root CA X3 certificate.

I've removed the cert from /etc/ssl/cert.pem which has fixed cURL.

I'm still having issues with OpenSSL 1.0.2 and other tools that use SSL like Python.

(For context, this is on my personal laptop - a Macbook running OSX 10.13.6)

gianpaolodn · September 30, 2021, 7:33pm

did you find any solution? im waiting for the same answer