Help thread for DST Root CA X3 expiration (September 2021)

rg305 · October 12, 2021, 6:53pm

Point taken.
YMMV; As their expiry dates are not seen equally by all clients.
The ones that can "short-circuit" the validation, will use the longer date explicitly seen in their trust store.
The ones that can't must rely on the validity of the signer (outside of the root itself).

sahsanu · October 12, 2021, 6:56pm

Yes, correct. I just was trying to clarify this question:

mmncs · October 12, 2021, 8:09pm

Hi Let's Encrypt ,

I have followed the news about the expiration of X3 and I thought that I didn't have to do any changes for my website. But know I can see that my traffic has fallen by 20% and several browsers are not able to access the site without the big warning of an invalid certificate.

When I look at the chain it is as follows

DST Root CA X3

ISRG Root X!
- R3
- mydomain.com

and is says

This certificate is not valid (expired root)

Any help would be most appreciated.

Christian

rg305 · October 12, 2021, 9:50pm

Hi @mmncs and welcome to the LE community forum

I would try switching to the alternate/shorter trust path chain.
How that is done on your server depends on may things...
How much access do you have to it?
Are you an admin or only make changes through a menu/panel?

mmncs · October 12, 2021, 9:55pm

Hi rg305,

I have full access and right now I am trying to upgrade my certbot to 1.12 where I have the command:

--preferred-chain "ISRG Root X1"

I have tried to add it to the letsencrypt conf file like this:

[renewalparams]
authenticator = webroot
rsa_key_size = 4096
server = https://acme-v02.api.letsencrypt.org/directory
preferred_chain = ISRG Root X1

rg305 · October 12, 2021, 9:57pm

@mmncs
If you have certbot lower than 1.12, that entry won't do anything.
You can manually edit the fullchain.pem (or chain.pem) file used and remove the last cert from it.
[for a "quick fix" / temporary workaround - that won't survive renewal; as all cert files will be replaced then]

mmncs · October 12, 2021, 10:00pm

I have access to the fullchain.pem but I really don't know how I should edit it...

and thank you for your time!

mmncs · October 12, 2021, 10:03pm

Sorry didn't read, so I just delete the last key I guess...

rg305 · October 12, 2021, 10:04pm

I'd use: vi, but you can use any text editor.
Like: nano

Look for "-----BEGIN *-----" and "-----END *-----" lines.
They surround the certs.
Simply delete the last cert (and the lines surrounding it).
Save the file.
Restart the web service.

Yes, it has one two many certs.

mmncs · October 12, 2021, 10:10pm

Invalid certificate

Now it says that this certificate was signed by an untrusted issuer, but the chain has changed to:

ISRG Root X1
-- R3
-- mydomain.com

rg305 · October 12, 2021, 10:13pm

@mmncs
If you check the site with SSL Labs, and it shows OK there, then this new problem is within your client.
Which implies it doesn't have the latest ca-certificates (or Windows Update or Mac update or etc.)

mmncs · October 12, 2021, 10:23pm

I have tried acces on Opera and Chrome and I can see that it has removed

DST Root CA X3

But it still doesn't work on either. This is on my older mac.

Here is the overall rating:

https://www.ssllabs.com/ssltest/analyze.html?d=www.beautonart.com

Overall rating: B

Protocols
TLS 1.3 No
TLS 1.2 Yes
TLS 1.1 Yes
TLS 1.0 Yes
SSL 3 No
SSL 2 No

rg305 · October 12, 2021, 10:25pm

If it is below 10.12. you might have issues.

mmncs · October 12, 2021, 10:26pm

It is 10.9.5

Is there any way to get it working then?

rg305 · October 12, 2021, 10:38pm

Try this "fix":

mmncs · October 12, 2021, 10:51pm

Is that something I have to install on the mac?

Since I have had others who have contacted me who gets the same error and I can see that my traffic have decreased about 20% which very well could be because of this warning and I have no way to ask people who visit the site to install anything.

I have followed this issue and saw the video where they said there would be no issues with browsers and it seems that more people than you would think are using very old laptops.

rg305 · October 12, 2021, 10:55pm

If this is affecting systems outside your control...
Then I can only think of one immediate solution:

You need to switch to another entirely different chain.
Like from another (free) CA that is ACME protocol friendly.

mmncs · October 12, 2021, 10:57pm

So Lets encrypt doesnt work on older laptops?

rg305 · October 12, 2021, 11:04pm

It's not Let's Encrypt that fails to work.
It's the lack of updated trust stores (and relevant TLS libraries).

Older... yes
Really old... probably not.
[eventually such older systems will have problems with all CAs - LE was just the first to expire]

Think...
I can no longer here your radio station - on my A.M. radio.

mmncs · October 12, 2021, 11:06pm

So this is not a decision from letsencrypt?

The big problem is that people who visit the site will think it is a virus filled site...

Stealing their credit card information as it states in chrome. If it just said they have to update their system then it would be another story