Help thread for DST Root CA X3 expiration (September 2021)

We apply your recommandations in our traefik configuration, and it resolve the problem, thank you very much for your help.

3 Likes

On windows i did a IIS restart and now my problems are solved. But what do I do with the old and now expired certificate. Can I delete it safely ?

1 Like

@Donkerg
I would let things be for a while.
"If it ain't broke, don't fix it."

4 Likes

I can't understand one thing .. does this problem fix itself? or you need to make some changes .. I'm not so practical .. can you explain me better?
Many old windows users have problems with https

1 Like

Have you changed or performed something? Or simply restarted IIS?

1 Like

Thanks you saved my day! Missing mails on postfix

SSL_accept error from xxx.xxx.xxx: -1
warning: TLS library problem: error:14094415:SSL routines:ssl3_read_bytes:sslv3 alert certificate expired:ssl/record/rec_layer_s3.c:1544:SSL alert number 45:

sudo certbot renew --force-renewal --preferred-chain "ISRG Root X1"
2 Likes

I also did a update of Certify the Web. Then checked ssl labs, and everything was ok. Funny enough, one issue was a certificate that I have to manually update. I,m using a temporary website only to get the certificate and then use the certificate for my mail server. All the other websites do auto renews and worked perfect,.

1 Like

I am using certificate in shadowsocks app on android 7, everything worked until yesterday. Now the certificate only works with Windows 10 and Android 10 in the shadowsocks app. Please tell me how to make the certificate read on android 7 without errors.
Thanks...

I created the certificate this way
acme.sh --issue -d domain.name --dns dns_cf --server letsencrypt

1 Like

In some cases... maybe.

In most cases, yes.

They may need to update their root stores.

1 Like

@ayton
You probably need to update the chain used.
Which chain does it serve now?
Which cert files did you use?

1 Like

I am using two files
fullchain.cer
domain.name.key

2 Likes

As of today Chrome on my Windows 7 stopped pulling up all sites encrypted with letsencrypt. Very peculiar as Chrome on my phone and laptop (Win 10) work just fine. Even more peculiar is that when I try to pull up a site (e.g. https://colossus.media), Chrome will sometimes simply say ERR_TIMED_OUT, but sometimes will complain about NET::ERR_CERT_DATE_INV
Drives me crazy. Spent all day troubleshooting this. Nobody else I know is having this issue. I would assume it's my PC, but the fact that it happened on the 30th.... Hmm, strange.

Firefox works great.

3 Likes

You can remove DST Root X3 from the ca certificates.
I described how it works on an old Debian wheezy with OpenSSL 1.0.1:
https://www.kobelnet.ch/2021/09/30/old-lets-encrypt-root-certificate-expiration-workaround

3 Likes

Does that solve the problem? I have IIS running

1 Like

Hi guys,

When I test my website on SSL Certificate Checker it fails, when I test on https://www.digicert.com/help/ it passes.

Can't make it work on some devices (Windows 7 included).

What I have tried so far:

  • deleted all X3 and R3 expired certificates
  • use PSExec to see certificates and delete it (suggested in another thread)
  • generate new certificates
  • restarted IIS
  • restarted server
  • restarted client
  • changed the Preferred Issuer to "ISRG Root X1"

Any different suggestion? Thanks.

My system:

1 Like

Does what solve the problem?

1 Like

@ayton,
OK, I would try:
edit the fullchain.pem file
remove the last (bottom) certificate

[there should be three certs in there]

2 Likes

Did you open the Certificate control panel with local computer ? Is you open it as a user and make modifications it won`t work. ( silly answer, but hey, some are using cert manager as a user for computer based certs.)

1 Like

@alimovz
I suppose Chrome is using it's own certificate store.
And you would need to get in there and add/remove the expired cert.

1 Like

Yes, Actually I tried in all of them. User, Local and Service.

2 Likes