Help thread for DST Root CA X3 expiration (September 2021)

@criton2000
hmm... pfx...
Then you are using Windows; And it probably doesn't have the "ISRG Root X1" in the trusted store.
[and possibly not even the "R3" intermediate (not actually required)]
And Windows is doing w/e it feels like with that included information (nothing).

Try adding the "ISRG Root X1" cert to the trust store.
[might need a reboot and/or rebinding of IIS to the cert]
You can find it here:
Self-signed: der, pem

2 Likes

openssl s_client -connect EXAMPLE.COM:25 -starttls smtp

2 Likes

For acme.sh change the EXAMPLE.COM.cer for fullchain.cer

2 Likes

@reg305

Port 25 didn't give a reply. On Port 465 I got this:

CONNECTED(00000003)
Didn't find STARTTLS in server response, trying anyway...
write:errno=0
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 346 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---

1 Like

I see. How/where do I make this change? @rg305

1 Like

Wait, I don't understand. DST CA X3 is the retired root cert, right? How is that preferred? I need help understanding this. ISRG Root X1 is the one we need to add to some services that can't connect anymore...

1 Like

@matthkarl
Wait!
Wasn't 465 was already encrypted?
How can 25 not answer?
How do you get inbound emails?
[via relay only?]

2 Likes

As I represent some websites, and we can't just tell potential website visitors to upgrade software that simply isn't upgrade-able (mac mavericks will never go past chrome 67, for example)
so, we must use a different certificate with a root certificate that is universally trusted... (any ideas?)

if you are using certbot as an ACME client to get LE certificates, you can change the ACME server to use a different provider, I'm still in the process of looking into this (sslforfree.com via zerossl.com)
I believe the ACME protocol requires free 90 day certs, and zerossl does offer that, apparently...)
User Guide β€” Certbot 1.19.0.dev0 documentation

So, there are several ACME service providers
https://www.xf.is/2020/06/30/list-of-free-acme-ssl-providers/

So, after some examination, you only need to use the server flag on the certbot command
--server 'https://api.buypass.com/acme/directory' for example

  1. register with a new ACME service provider
  2. get a certificate from them, and do your usual stuff after.
2 Likes

Thank you for your help.
No. I developed on windows (hence I have to use pfx, otherwise I cannot try), but production server is Ubuntu 18.04, where I commented DST CA X3 using
sudo dpkg-reconfigure ca-certificates
I am not using IIS nor ngnix, but embedded web server kestrel.

Now I executed
openssl s_client -connect hub1.cet.cloud:443 -servername hub1.cet.cloud
on an Ubuntu 20.04 PC, with same result (here /etc/ca-certificates.conf contains DST CA X3 commented, and ISRG Root X1 listed and enabled).
Perhaps I am misunderstanding: when requesting certificates using "openssl s_client", does server answers with complete chain (teorically)? Can we see complete response some way?

2 Likes

@rg305

I was too inpatient. After waiting longer I got this.

140421228041536:error:0200206E:system library:connect:Connection timed out:../crypto/bio/b_sock2.c:110:
140421228041536:error:2008A067:BIO routines:BIO_connect:connect error:../crypto/bio/b_sock2.c:111:
connect:errno=110

So it seems, STARTTLS is not working.

1 Like

I see:

curl -Iki hub1.cet.cloud
HTTP/1.1 307 Temporary Redirect
Date: Fri, 01 Oct 2021 14:41:48 GMT
Server: Kestrel
Location: https://hub1.cet.cloud/

KESTREL?
Is it using the fullchian.pem?

2 Likes

It's NOT a requirement.

2 Likes

No, it uses another file, freecert.pfx, produced with command
openssl pkcs12 -inkey /etc/letsencrypt/live/hub1.cet.cloud/privkey.pem -in /etc/letsencrypt/live/hub1.cet.cloud/fullchain.pem -export -out freecert.pfx -password pass:[mypassword]

1 Like

@criton2000
Well then is is having issues with the PFX file (or contents therein) or is unable to match the chain entries to whichever root store it uses.
It fails to serve the provided chain.
[mind of its' own]

---
Certificate chain
 0 s:/CN=hub1.cet.cloud
   i:/C=US/O=Let's Encrypt/CN=R3
 1 s:/C=US/O=Let's Encrypt/CN=R3
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3
---
1 Like

Hi,

Our domains have been affected by the DST Root CA X3 expiration.

The only solution we found was to update certbot to at least 1.12 to have access to the --prefered-chain command to force ISRG Root X1.

The problem is that certbot only goes up to 0.31 with apt.

We tried snapd but it seems to not be compatible with our Ubuntu 16.04 (error: system does not fully support snapd: cannot mount squashfs image using "squashfs": mount: unknown filesystem type 'squashfs')

Same goes for pip installation, which shows errors that seems to be linked to our python version.

Any help would be appreciated to update our certbot version, like many others, our system is down and clients are waiting.

Thanks !

1 Like

I thought the same, but
openssl pkcs12 -info -in freecert.pfx
produces (see original help request for complete message)

Certificate bag
Bag Attributes: <No Attributes>
subject=/C=US/O=Let's Encrypt/CN=R3
issuer=/C=US/O=Internet Security Research Group/CN=ISRG Root X1

Where ***** does it find reference to DST CA X3?

1 Like

Drop it (for now) and use another ACME client - like: acme.sh

2 Likes

Welcome to the community forum! Yes, there are several working and specific solutions that many posters have adopted to resolve issues client side. However the specific solution depends on which of the two expirations are causing you problems and what your set-up is like.

In this thread, many users have discovered they are sending an incorrect chain or no chain at all. The solution is to update the configuration specific to your server to serve the correct the chain. You can use the search field on this thread or in the forum generally to see if information has posted and resolved for your server.

The other problem is around which chain you are sending particularly for the roots. There are trade-offs for each one and you can read about them here under the RSA changes for May 4th Production Chain Changes

Those are the main server side options you can take to still use Let’s Encrypt. There are some client side problems related to cached certificates and chain building behavior that have specific solutions as well.

Please begin by searching on the forum to see if your specific setup has been asked about. If you cannot find it, you will need to include some basic information like what is running server-side, what problem you are seeing, and your domain.

4 Likes

The toe bone is connected to the foot bone...
The foot bone is connected to the heal bone...

End-leaf cert connects to R3
R3 connects to X1
X1 connects to X3

Even if you don't explicitly provide that info - it is in there - like DNA!

3 Likes

But that chain contains

-----BEGIN CERTIFICATE-----
MIIFFjCCAv6gAwIBAgIRAJErCErPDBinU/bWLiWnX1owDQYJKoZIhvcNAQELBQAw
TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMjAwOTA0MDAwMDAw
WhcNMjUwOTE1MTYwMDAwWjAyMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg
RW5jcnlwdDELMAkGA1UEAxMCUjMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
AoIBAQC7AhUozPaglNMPEuyNVZLD+ILxmaZ6QoinXSaqtSu5xUyxr45r+XXIo9cP
R5QUVTVXjJ6oojkZ9YI8QqlObvU7wy7bjcCwXPNZOOftz2nwWgsbvsCUJCWH+jdx
sxPnHKzhm+/b5DtFUkWWqcFTzjTIUu61ru2P3mBw4qVUq7ZtDpelQDRrK9O8Zutm
NHz6a4uPVymZ+DAXXbpyb/uBxa3Shlg9F8fnCbvxK/eG3MHacV3URuPMrSXBiLxg
Z3Vms/EY96Jc5lP/Ooi2R6X/ExjqmAl3P51T+c8B5fWmcBcUr2Ok/5mzk53cU6cG
/kiFHaFpriV1uxPMUgP17VGhi9sVAgMBAAGjggEIMIIBBDAOBgNVHQ8BAf8EBAMC
AYYwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMBIGA1UdEwEB/wQIMAYB
Af8CAQAwHQYDVR0OBBYEFBQusxe3WFbLrlAJQOYfr52LFMLGMB8GA1UdIwQYMBaA
FHm0WeZ7tuXkAXOACIjIGlj26ZtuMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcw
AoYWaHR0cDovL3gxLmkubGVuY3Iub3JnLzAnBgNVHR8EIDAeMBygGqAYhhZodHRw
Oi8veDEuYy5sZW5jci5vcmcvMCIGA1UdIAQbMBkwCAYGZ4EMAQIBMA0GCysGAQQB
gt8TAQEBMA0GCSqGSIb3DQEBCwUAA4ICAQCFyk5HPqP3hUSFvNVneLKYY611TR6W
PTNlclQtgaDqw+34IL9fzLdwALduO/ZelN7kIJ+m74uyA+eitRY8kc607TkC53wl
ikfmZW4/RvTZ8M6UK+5UzhK8jCdLuMGYL6KvzXGRSgi3yLgjewQtCPkIVz6D2QQz
CkcheAmCJ8MqyJu5zlzyZMjAvnnAT45tRAxekrsu94sQ4egdRCnbWSDtY7kh+BIm
lJNXoB1lBMEKIq4QDUOXoRgffuDghje1WrG9ML+Hbisq/yFOGwXD9RiX8F6sw6W4
avAuvDszue5L3sz85K+EC4Y/wFVDNvZo4TYXao6Z0f+lQKc0t8DQYzk1OXVu8rp2
yJMC6alLbBfODALZvYH7n7do1AZls4I9d1P4jnkDrQoxB3UqQ9hVl3LEKQ73xF1O
yK5GhDDX8oVfGKF5u+decIsH4YaTw7mP3GFxJSqv3+0lUFJoi5Lc5da149p90Ids
hCExroL1+7mryIkXPeFM5TgO9r0rvZaBFOvV2z0gp35Z0+L4WPlbuEjN/lxPFin+
HlUjr8gRsI3qfJOQFy/9rKIJR0Y/8Omwt/8oTWgy1mdeHmmjk7j1nYsvC9JSQ6Zv
MldlTTKB3zhThV1+XWYp6rjd5JW1zbVWEkLNxE7GJThEUG3szgBVGP7pSWTUTsqX
nLRbwHOoq7hHwg==
-----END CERTIFICATE-----

that is https://letsencrypt.org/certs/lets-encrypt-r3.pem, which refers to X1 self signed, or not (I do not know how to link to original help request)?

1 Like