When i use the longer chain, my APIs get errors in curl requests like the following:
cURL error 60: SSL certificate problem: certificate has expired
If i choose the shorter one, i don't get support for older android versions.
Is there a way to get old androids and curl to work?
Yes; One way is to switch to another (free and ACME friendly) CA.
No way to get it to work with letsencrypt?
I cant go to other CA cuz i have lots of domains. The other CAs free plans are too limited.
I really need to choose between my APIs working or support for older android versions?
curl should be able to work with the longer chain, depending on software versions used.
Ok thats good.
Which softwares / versions we're talking? Can you point me a way to check that?
They say openssl must be over 1.1. When i run openssl version i get:
OpenSSL 1.1.0h 27 Mar 2018
lsb_realease prints out:
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 16.04.7 LTS
Release: 16.04
Codename: xenial
Anything else i need to check?
Please show:
apt list | grep installed | grep cert
You should see:
ca-certificates/xenial-updates,xenial-updates,xenial-security,xenial-security,now 20210119~16.04.1 all [installed]
ca-certificates/xenial-updates,xenial-security,now 20210119~16.04.1 all [installed]
python-pkg-resources/xenial,now 33.1.1-1+certbot~xenial+1 all [installed,automatic]
python3-acme/xenial,now 0.31.0-2+ubuntu16.04.6+certbot+2 all [installed,auto-removable]
python3-asn1crypto/xenial,now 0.22.0-2+ubuntu16.04.1+certbot+1 all [installed,automatic]
python3-augeas/xenial,now 0.5.0-1+ubuntu16.04.1+certbot+1 all [installed,auto-removable]
python3-certbot/xenial,now 0.31.0-2~deb10u1+ubuntu16.04.1+certbot+3 all [installed,auto-removable]
python3-certifi/xenial,now 2017.4.17-2+ubuntu16.04.1+certbot+1 all [installed,auto-removable]
python3-cffi-backend/xenial,now 1.10.0-0.1+ubuntu16.04.1+certbot+1 amd64 [installed]
python3-chardet/xenial,now 3.0.4-1+ubuntu16.04.1+certbot+2 all [installed]
python3-configargparse/xenial,now 0.11.0-1+certbot~xenial+1 all [installed,auto-removable]
python3-configobj/xenial,now 5.0.6-2+ubuntu16.04.1+certbot+1 all [installed]
python3-cryptography/xenial,now 1.9-1+ubuntu16.04.1+certbot+2 amd64 [installed]
python3-future/xenial,now 0.15.2-4+ubuntu16.04.1+certbot+3 all [installed,auto-removable]
python3-idna/xenial,now 2.5-1+ubuntu16.04.1+certbot+1 all [installed]
python3-ndg-httpsclient/xenial,now 0.4.2-1+certbot~xenial+1 all [installed,auto-removable]
python3-openssl/xenial,now 17.3.0-1~0+ubuntu16.04.1+certbot+1 all [installed,automatic]
python3-parsedatetime/xenial,now 2.4-3+ubuntu16.04.1+certbot+3 all [installed,auto-removable]
python3-pkg-resources/xenial,now 33.1.1-1+certbot~xenial+1 all [installed]
python3-pyasn1/xenial,now 0.1.9-2+certbot~xenial+1 all [installed]
python3-requests/xenial,now 2.18.1-1+ubuntu16.04.1+certbot+1 all [installed,auto-removable]
python3-requests-toolbelt/xenial,now 0.8.0-1+ubuntu16.04.1+certbot+1 all [installed,auto-removable]
python3-rfc3339/xenial,now 1.0-4+certbot~xenial+1 all [installed,auto-removable]
python3-six/xenial,now 1.11.0-1+ubuntu16.04.1+certbot+1 all [installed]
python3-urllib3/xenial,now 1.21.1-1+ubuntu16.04.1+certbot+1 all [installed]
python3-zope.component/xenial,now 4.3.0-1+ubuntu16.04.1+certbot+3 all [installed,auto-removable]
python3-zope.hookable/xenial,now 4.0.4-4+ubuntu16.04.1+certbot+1 amd64 [installed,auto-removable]
python3-zope.interface/xenial,now 4.3.2-1+ubuntu16.04.1+certbot+1 amd64 [installed,auto-removable]
ssl-cert/xenial,now 1.0.37 all [installed,automatic]
Well, that looks right.
Please show the outputs of:
ls -l /etc/ssl/certs/* | grep -Ei 'R3|DST|ISRG'
and
apt update
and
apt install curl
lrwxrwxrwx 1 root root 27 Out 1 22:15 /etc/ssl/certs/062cdee6.0 -> GlobalSign_Root_CA_-_R3.pem
lrwxrwxrwx 1 root root 15 Out 1 22:15 /etc/ssl/certs/0a775a30.0 -> GTS_Root_R3.pem
lrwxrwxrwx 1 root root 27 Out 1 22:15 /etc/ssl/certs/1e8e7201.0 -> GlobalSign_Root_CA_-_R3.pem
lrwxrwxrwx 1 root root 16 Out 1 22:15 /etc/ssl/certs/4042bcee.0 -> ISRG_Root_X1.pem
lrwxrwxrwx 1 root root 16 Out 1 22:15 /etc/ssl/certs/6187b673.0 -> ISRG_Root_X1.pem
lrwxrwxrwx 1 root root 15 Out 1 22:15 /etc/ssl/certs/6b03dec0.0 -> GTS_Root_R3.pem
lrwxrwxrwx 1 root root 62 Out 1 20:30 /etc/ssl/certs/GlobalSign_Root_CA_-_R3.pem -> /usr/share/ca-certificates/mozilla/GlobalSign_Root_CA_-_R3.crt
lrwxrwxrwx 1 root root 50 Out 1 20:30 /etc/ssl/certs/GTS_Root_R3.pem -> /usr/share/ca-certificates/mozilla/GTS_Root_R3.crt
lrwxrwxrwx 1 root root 51 Out 1 20:30 /etc/ssl/certs/ISRG_Root_X1.pem -> /usr/share/ca-certificates/mozilla/ISRG_Root_X1.crt
Hit:1 http://mirrors.digitalocean.com/ubuntu xenial InRelease
Get:2 http://security.ubuntu.com/ubuntu xenial-security InRelease [109 kB]
Hit:3 http://ppa.launchpad.net/certbot/certbot/ubuntu xenial InRelease
Get:4 http://mirrors.digitalocean.com/ubuntu xenial-updates InRelease [109 kB]
Hit:5 http://ppa.launchpad.net/ondrej/apache2/ubuntu xenial InRelease
Get:6 http://mirrors.digitalocean.com/ubuntu xenial-backports InRelease [107 kB]
Hit:7 https://repos.insights.digitalocean.com/apt/do-agent main InRelease
Hit:8 http://ppa.launchpad.net/ondrej/php/ubuntu xenial InRelease
Get:9 https://deb.nodesource.com/node_9.x xenial InRelease [4.622 B]
Get:10 http://mirrors.digitalocean.com/ubuntu xenial-updates/main Sources [537 kB]
Get:11 http://mirrors.digitalocean.com/ubuntu xenial-updates/main amd64 Packages [2.049 kB]
Fetched 2.916 kB in 1s (1.928 kB/s)
Reading package lists... Done
Building dependency tree
Reading state information... Done
152 packages can be upgraded. Run 'apt list --upgradable' to see them.
E: dpkg was interrupted, you must manually run 'sudo dpkg --configure -a' to correct the problem.
Well, thats quite a big list.
I'm aware theres a lot of things to update, but i'm afraid to break something when i do it, since i was not responsible for this droplet initial setup.
Heres the list:
apt/xenial-updates 1.2.35 amd64 [upgradable from: 1.2.32ubuntu0.2]
apt-transport-https/xenial-updates 1.2.35 amd64 [upgradable from: 1.2.32ubuntu0.2]
apt-utils/xenial-updates 1.2.35 amd64 [upgradable from: 1.2.32ubuntu0.2]
bind9-host/xenial-updates,xenial-security 1:9.10.3.dfsg.P4-8ubuntu1.19 amd64 [upgradable from: 1:9.10.3.dfsg.P4-8ubuntu1.17]
bsdutils/xenial-updates 1:2.27.1-6ubuntu3.10 amd64 [upgradable from: 1:2.27.1-6ubuntu3.4]
btrfs-tools/xenial-updates 4.4-1ubuntu1.1 amd64 [upgradable from: 4.4-1ubuntu1]
cloud-guest-utils/xenial-updates 0.27-0ubuntu25.2 all [upgradable from: 0.27-0ubuntu25.1]
cloud-initramfs-copymods/xenial-updates 0.27ubuntu1.6 all [upgradable from: 0.27ubuntu1.5]
cloud-initramfs-dyn-netconf/xenial-updates 0.27ubuntu1.6 all [upgradable from: 0.27ubuntu1.5]
console-setup/xenial-updates 1.108ubuntu15.5 all [upgradable from: 1.108ubuntu15.3]
console-setup-linux/xenial-updates 1.108ubuntu15.5 all [upgradable from: 1.108ubuntu15.3]
curl/xenial-updates,xenial-security 7.47.0-1ubuntu2.19 amd64 [upgradable from: 7.47.0-1ubuntu2.18]
debconf/xenial-updates 1.5.58ubuntu2 all [upgradable from: 1.5.58ubuntu1]
debconf-i18n/xenial-updates 1.5.58ubuntu2 all [upgradable from: 1.5.58ubuntu1]
distro-info-data/xenial-updates,xenial-security 0.28ubuntu0.18 all [upgradable from: 0.28ubuntu0.16]
dmidecode/xenial-updates 3.0-2ubuntu0.2 amd64 [upgradable from: 3.0-2ubuntu0.1]
dnsmasq-base/xenial-updates,xenial-security 2.75-1ubuntu0.16.04.10 amd64 [upgradable from: 2.75-1ubuntu0.16.04.7]
dnsutils/xenial-updates,xenial-security 1:9.10.3.dfsg.P4-8ubuntu1.19 amd64 [upgradable from: 1:9.10.3.dfsg.P4-8ubuntu1.17]
do-agent/main 3.12.0 amd64 [upgradable from: 3.9.0]
dpkg/xenial-updates 1.18.4ubuntu1.7 amd64 [upgradable from: 1.18.4ubuntu1.4]
dpkg-dev/xenial-updates 1.18.4ubuntu1.7 all [upgradable from: 1.18.4ubuntu1.4]
friendly-recovery/xenial-updates 0.2.31ubuntu2.1 all [upgradable from: 0.2.31ubuntu1]
git/xenial-updates,xenial-security 1:2.7.4-0ubuntu1.10 amd64 [upgradable from: 1:2.7.4-0ubuntu1.9]
git-man/xenial-updates,xenial-security 1:2.7.4-0ubuntu1.10 all [upgradable from: 1:2.7.4-0ubuntu1.9]
grub-common/xenial-updates 2.02~beta2-36ubuntu3.32 amd64 [upgradable from: 2.02~beta2-36ubuntu3.27]
grub-efi-amd64/xenial-updates 2.04-1ubuntu44.1.2 amd64 [upgradable from: 2.02~beta2-36ubuntu3.27]
grub-efi-amd64-bin/xenial-updates 2.04-1ubuntu44.1.2 amd64 [upgradable from: 2.02~beta2-36ubuntu3.27]
grub-efi-amd64-signed/xenial-updates 1.167~16.04.6+2.04-1ubuntu44.1.2 amd64 [upgradable from: 1.66.27+2.02~beta2-36ubuntu3.27]
grub-legacy-ec2/xenial-updates 21.1-19-gbad84ad4-0ubuntu1~16.04.2 all [upgradable from: 18.2-4-g05926e48-0ubuntu1~16.04.2]
grub-pc-bin/xenial-updates 2.02~beta2-36ubuntu3.32 amd64 [upgradable from: 2.02~beta2-36ubuntu3.27]
grub2-common/xenial-updates 2.02~beta2-36ubuntu3.32 amd64 [upgradable from: 2.02~beta2-36ubuntu3.27]
guile-2.0-libs/xenial-updates 2.0.11+1-10ubuntu0.1 amd64 [upgradable from: 2.0.11+1-10]
ifupdown/xenial-updates 0.8.10ubuntu1.4 amd64 [upgradable from: 0.8.10ubuntu1.3]
initramfs-tools/xenial-updates 0.122ubuntu8.17 all [upgradable from: 0.122ubuntu8.14]
initramfs-tools-bin/xenial-updates 0.122ubuntu8.17 amd64 [upgradable from: 0.122ubuntu8.14]
initramfs-tools-core/xenial-updates 0.122ubuntu8.17 all [upgradable from: 0.122ubuntu8.14]
iproute2/xenial-updates 4.3.0-1ubuntu3.16.04.5 amd64 [upgradable from: 4.3.0-1ubuntu3.16.04.3]
keyboard-configuration/xenial-updates 1.108ubuntu15.5 all [upgradable from: 1.108ubuntu15.3]
kmod/xenial-updates 22-1ubuntu5.2 amd64 [upgradable from: 22-1ubuntu5]
libapt-inst2.0/xenial-updates 1.2.35 amd64 [upgradable from: 1.2.32ubuntu0.2]
libapt-pkg5.0/xenial-updates 1.2.35 amd64 [upgradable from: 1.2.32ubuntu0.2]
libbind9-140/xenial-updates,xenial-security 1:9.10.3.dfsg.P4-8ubuntu1.19 amd64 [upgradable from: 1:9.10.3.dfsg.P4-8ubuntu1.17]
libblkid1/xenial-updates 2.27.1-6ubuntu3.10 amd64 [upgradable from: 2.27.1-6ubuntu3.4]
libc-bin/xenial-updates,xenial-security 2.23-0ubuntu11.3 amd64 [upgradable from: 2.23-0ubuntu11.2]
libc-dev-bin/xenial-updates,xenial-security 2.23-0ubuntu11.3 amd64 [upgradable from: 2.23-0ubuntu11.2]
libc6/xenial-updates,xenial-security 2.23-0ubuntu11.3 amd64 [upgradable from: 2.23-0ubuntu11.2]
libc6-dev/xenial-updates,xenial-security 2.23-0ubuntu11.3 amd64 [upgradable from: 2.23-0ubuntu11.2]
libcurl3/xenial-updates,xenial-security 7.47.0-1ubuntu2.19 amd64 [upgradable from: 7.47.0-1ubuntu2.18]
libcurl3-gnutls/xenial-updates,xenial-security 7.47.0-1ubuntu2.19 amd64 [upgradable from: 7.47.0-1ubuntu2.18]
libdns-export162/xenial-updates,xenial-security 1:9.10.3.dfsg.P4-8ubuntu1.19 amd64 [upgradable from: 1:9.10.3.dfsg.P4-8ubuntu1.17]
libdns162/xenial-updates,xenial-security 1:9.10.3.dfsg.P4-8ubuntu1.19 amd64 [upgradable from: 1:9.10.3.dfsg.P4-8ubuntu1.17]
libdpkg-perl/xenial-updates 1.18.4ubuntu1.7 all [upgradable from: 1.18.4ubuntu1.4]
libdrm-common/xenial-updates 2.4.91-2~16.04.1 all [upgradable from: 2.4.83-1~16.04.1]
libdrm2/xenial-updates 2.4.91-2~16.04.1 amd64 [upgradable from: 2.4.83-1~16.04.1]
libfdisk1/xenial-updates 2.27.1-6ubuntu3.10 amd64 [upgradable from: 2.27.1-6ubuntu3.4]
libglib2.0-0/xenial-updates,xenial-security 2.48.2-0ubuntu4.8 amd64 [upgradable from: 2.48.2-0ubuntu4.6]
libglib2.0-data/xenial-updates,xenial-security 2.48.2-0ubuntu4.8 all [upgradable from: 2.48.2-0ubuntu4.6]
libhogweed4/xenial-updates,xenial-security 3.2-1ubuntu0.16.04.2 amd64 [upgradable from: 3.2-1ubuntu0.16.04.1]
libisc-export160/xenial-updates,xenial-security 1:9.10.3.dfsg.P4-8ubuntu1.19 amd64 [upgradable from: 1:9.10.3.dfsg.P4-8ubuntu1.17]
libisc160/xenial-updates,xenial-security 1:9.10.3.dfsg.P4-8ubuntu1.19 amd64 [upgradable from: 1:9.10.3.dfsg.P4-8ubuntu1.17]
libisccc140/xenial-updates,xenial-security 1:9.10.3.dfsg.P4-8ubuntu1.19 amd64 [upgradable from: 1:9.10.3.dfsg.P4-8ubuntu1.17]
libisccfg140/xenial-updates,xenial-security 1:9.10.3.dfsg.P4-8ubuntu1.19 amd64 [upgradable from: 1:9.10.3.dfsg.P4-8ubuntu1.17]
libjs-sphinxdoc/xenial-updates 1.3.6-2ubuntu1.2 all [upgradable from: 1.3.6-2ubuntu1.1]
libjs-underscore/xenial-updates,xenial-security 1.7.0~dfsg-1ubuntu1.1 all [upgradable from: 1.7.0~dfsg-1ubuntu1]
libkmod2/xenial-updates 22-1ubuntu5.2 amd64 [upgradable from: 22-1ubuntu5]
libldap-2.4-2/xenial-updates,xenial-security 2.4.42+dfsg-2ubuntu3.13 amd64 [upgradable from: 2.4.42+dfsg-2ubuntu3.12]
liblwres141/xenial-updates,xenial-security 1:9.10.3.dfsg.P4-8ubuntu1.19 amd64 [upgradable from: 1:9.10.3.dfsg.P4-8ubuntu1.17]
liblxc1/xenial-updates 2.0.11-0ubuntu1~16.04.3 amd64 [upgradable from: 2.0.8-0ubuntu1~16.04.2]
libmount1/xenial-updates 2.27.1-6ubuntu3.10 amd64 [upgradable from: 2.27.1-6ubuntu3.4]
libnettle6/xenial-updates,xenial-security 3.2-1ubuntu0.16.04.2 amd64 [upgradable from: 3.2-1ubuntu0.16.04.1]
libpam-modules/xenial-updates 1.1.8-3.2ubuntu2.3 amd64 [upgradable from: 1.1.8-3.2ubuntu2.1]
libpam-modules-bin/xenial-updates 1.1.8-3.2ubuntu2.3 amd64 [upgradable from: 1.1.8-3.2ubuntu2.1]
libpam-runtime/xenial-updates 1.1.8-3.2ubuntu2.3 all [upgradable from: 1.1.8-3.2ubuntu2.1]
libpam-systemd/xenial-updates 229-4ubuntu21.31 amd64 [upgradable from: 229-4ubuntu21.27]
libpam0g/xenial-updates 1.1.8-3.2ubuntu2.3 amd64 [upgradable from: 1.1.8-3.2ubuntu2.1]
libpci3/xenial-updates 1:3.3.1-1.1ubuntu1.3 amd64 [upgradable from: 1:3.3.1-1.1ubuntu1.2]
libplymouth4/xenial-updates 0.9.2-3ubuntu13.5 amd64 [upgradable from: 0.9.2-3ubuntu13.4]
libprocps4/xenial-updates 2:3.3.10-4ubuntu2.5 amd64 [upgradable from: 2:3.3.10-4ubuntu2.4]
libpython2.7/xenial-updates,xenial-security 2.7.12-1ubuntu0~16.04.18 amd64 [upgradable from: 2.7.12-1ubuntu0~16.04.13]
libpython2.7-minimal/xenial-updates,xenial-security 2.7.12-1ubuntu0~16.04.18 amd64 [upgradable from: 2.7.12-1ubuntu0~16.04.13]
libpython2.7-stdlib/xenial-updates,xenial-security 2.7.12-1ubuntu0~16.04.18 amd64 [upgradable from: 2.7.12-1ubuntu0~16.04.13]
libpython3.5/xenial-updates,xenial-security 3.5.2-2ubuntu0~16.04.13 amd64 [upgradable from: 3.5.2-2ubuntu0~16.04.12]
libpython3.5-minimal/xenial-updates,xenial-security 3.5.2-2ubuntu0~16.04.13 amd64 [upgradable from: 3.5.2-2ubuntu0~16.04.12]
libpython3.5-stdlib/xenial-updates,xenial-security 3.5.2-2ubuntu0~16.04.13 amd64 [upgradable from: 3.5.2-2ubuntu0~16.04.12]
libseccomp2/xenial-updates 2.5.1-1ubuntu1~16.04.1 amd64 [upgradable from: 2.4.3-1ubuntu3.16.04.3]
libslang2/xenial-updates 2.3.0-2ubuntu1.1 amd64 [upgradable from: 2.3.0-2ubuntu1]
libsmartcols1/xenial-updates 2.27.1-6ubuntu3.10 amd64 [upgradable from: 2.27.1-6ubuntu3.4]
libssl1.0.0/xenial-updates,xenial-security 1.0.2g-1ubuntu4.20 amd64 [upgradable from: 1.0.2g-1ubuntu4.18]
libsystemd0/xenial-updates 229-4ubuntu21.31 amd64 [upgradable from: 229-4ubuntu21.27]
libtiff5/xenial-updates,xenial-security 4.0.6-1ubuntu0.8 amd64 [upgradable from: 4.0.6-1ubuntu0.7]
libudev1/xenial-updates 229-4ubuntu21.31 amd64 [upgradable from: 229-4ubuntu21.27]
libuuid1/xenial-updates 2.27.1-6ubuntu3.10 amd64 [upgradable from: 2.27.1-6ubuntu3.4]
linux-headers-generic/xenial-updates,xenial-security 4.4.0.210.216 amd64 [upgradable from: 4.4.0.201.207]
linux-headers-virtual/xenial-updates,xenial-security 4.4.0.210.216 amd64 [upgradable from: 4.4.0.201.207]
linux-image-virtual/xenial-updates,xenial-security 4.4.0.210.216 amd64 [upgradable from: 4.4.0.201.207]
linux-libc-dev/xenial-updates,xenial-security 4.4.0-210.242 amd64 [upgradable from: 4.4.0-201.233]
linux-virtual/xenial-updates,xenial-security 4.4.0.210.216 amd64 [upgradable from: 4.4.0.201.207]
locales/xenial-updates,xenial-security 2.23-0ubuntu11.3 all [upgradable from: 2.23-0ubuntu11.2]
login/xenial-updates 1:4.2-3.1ubuntu5.4 amd64 [upgradable from: 1:4.2-3.1ubuntu5.3]
lshw/xenial-updates 02.17-1.1ubuntu3.6 amd64 [upgradable from: 02.17-1.1ubuntu3.5]
lxc-common/xenial-updates 2.0.11-0ubuntu1~16.04.3 amd64 [upgradable from: 2.0.8-0ubuntu1~16.04.2]
mokutil/xenial-updates,xenial-security 0.3.0+1538710437.fb6250f-0ubuntu2~16.04.1 amd64 [upgradable from: 0.3.0-0ubuntu3]
mount/xenial-updates 2.27.1-6ubuntu3.10 amd64 [upgradable from: 2.27.1-6ubuntu3.4]
multiarch-support/xenial-updates,xenial-security 2.23-0ubuntu11.3 amd64 [upgradable from: 2.23-0ubuntu11.2]
open-iscsi/xenial-updates 2.0.873+git0.3b4b4500-14ubuntu3.7 amd64 [upgradable from: 2.0.873+git0.3b4b4500-14ubuntu3.4]
open-vm-tools/xenial-updates 2:10.2.0-3~ubuntu0.16.04.1 amd64 [upgradable from: 2:10.0.7-3227872-5ubuntu1~16.04.2]
openssh-client/xenial-updates 1:7.2p2-4ubuntu2.10 amd64 [upgradable from: 1:7.2p2-4ubuntu2.8]
openssh-server/xenial-updates 1:7.2p2-4ubuntu2.10 amd64 [upgradable from: 1:7.2p2-4ubuntu2.8]
openssh-sftp-server/xenial-updates 1:7.2p2-4ubuntu2.10 amd64 [upgradable from: 1:7.2p2-4ubuntu2.8]
overlayroot/xenial-updates 0.27ubuntu1.6 all [upgradable from: 0.27ubuntu1.5]
passwd/xenial-updates 1:4.2-3.1ubuntu5.4 amd64 [upgradable from: 1:4.2-3.1ubuntu5.3]
pciutils/xenial-updates 1:3.3.1-1.1ubuntu1.3 amd64 [upgradable from: 1:3.3.1-1.1ubuntu1.2]
plymouth/xenial-updates 0.9.2-3ubuntu13.5 amd64 [upgradable from: 0.9.2-3ubuntu13.4]
plymouth-theme-ubuntu-text/xenial-updates 0.9.2-3ubuntu13.5 amd64 [upgradable from: 0.9.2-3ubuntu13.4]
pollinate/xenial-updates 4.33-0ubuntu1~16.04.1 all [upgradable from: 4.25-0ubuntu1~16.04.1]
postfix/xenial-updates 3.1.0-3ubuntu0.4 amd64 [upgradable from: 3.1.0-3ubuntu0.3]
procps/xenial-updates 2:3.3.10-4ubuntu2.5 amd64 [upgradable from: 2:3.3.10-4ubuntu2.4]
psmisc/xenial-updates 22.21-2.1ubuntu0.1 amd64 [upgradable from: 22.21-2.1build1]
python-apt-common/xenial-updates 1.1.0~beta1ubuntu0.16.04.12 all [upgradable from: 1.1.0~beta1ubuntu0.16.04.11]
python2.7/xenial-updates,xenial-security 2.7.12-1ubuntu0~16.04.18 amd64 [upgradable from: 2.7.12-1ubuntu0~16.04.13]
python2.7-minimal/xenial-updates,xenial-security 2.7.12-1ubuntu0~16.04.18 amd64 [upgradable from: 2.7.12-1ubuntu0~16.04.13]
python3-apt/xenial-updates 1.1.0~beta1ubuntu0.16.04.12 amd64 [upgradable from: 1.1.0~beta1ubuntu0.16.04.11]
python3-distupgrade/xenial-updates 1:16.04.32 all [upgradable from: 1:16.04.25]
python3-josepy/xenial 1.1.0-2+ubuntu16.04.1+certbot+1 all [upgradable from: 1.0.1-1+ubuntu16.04.1+certbot+7]
python3-update-manager/xenial-updates 1:16.04.17 all [upgradable from: 1:16.04.13]
python3.5/xenial-updates,xenial-security 3.5.2-2ubuntu0~16.04.13 amd64 [upgradable from: 3.5.2-2ubuntu0~16.04.12]
python3.5-minimal/xenial-updates,xenial-security 3.5.2-2ubuntu0~16.04.13 amd64 [upgradable from: 3.5.2-2ubuntu0~16.04.12]
resolvconf/xenial-updates 1.78ubuntu7 all [upgradable from: 1.78ubuntu6]
rsyslog/xenial-updates 8.16.0-1ubuntu3.1 amd64 [upgradable from: 8.16.0-1ubuntu3]
sbsigntool/xenial-updates,xenial-security 0.6-0ubuntu10.2 amd64 [upgradable from: 0.6-0ubuntu10.1]
screen/xenial-updates,xenial-security 4.3.1-2ubuntu0.1 amd64 [upgradable from: 4.3.1-2build1]
secureboot-db/xenial-updates 1.4~ubuntu0.16.04.1 amd64 [upgradable from: 1.1]
shared-mime-info/xenial-updates 1.5-2ubuntu0.2 amd64 [upgradable from: 1.5-2ubuntu0.1]
shim/xenial-updates 15.4-0ubuntu7 amd64 [upgradable from: 13-0ubuntu2]
shim-signed/xenial-updates 1.33.1~16.04.10+15.4-0ubuntu7 amd64 [upgradable from: 1.33.1~16.04.1+13-0ubuntu2]
sosreport/xenial-updates 3.9.1-1ubuntu0.16.04.2 amd64 [upgradable from: 3.5-1~ubuntu16.04.2]
squashfs-tools/xenial-updates 1:4.3-3ubuntu2.16.04.3 amd64 [upgradable from: 1:4.3-3ubuntu2.16.04.1]
systemd/xenial-updates 229-4ubuntu21.31 amd64 [upgradable from: 229-4ubuntu21.27]
systemd-sysv/xenial-updates 229-4ubuntu21.31 amd64 [upgradable from: 229-4ubuntu21.27]
ubuntu-keyring/xenial-updates 2012.05.19.1 all [upgradable from: 2012.05.19]
ubuntu-minimal/xenial-updates 1.361.6 amd64 [upgradable from: 1.361.1]
ubuntu-release-upgrader-core/xenial-updates 1:16.04.32 all [upgradable from: 1:16.04.25]
ubuntu-standard/xenial-updates 1.361.6 amd64 [upgradable from: 1.361.1]
udev/xenial-updates 229-4ubuntu21.31 amd64 [upgradable from: 229-4ubuntu21.27]
uidmap/xenial-updates 1:4.2-3.1ubuntu5.4 amd64 [upgradable from: 1:4.2-3.1ubuntu5.3]
unattended-upgrades/xenial-updates 1.1ubuntu1.18.04.7~16.04.7 all [upgradable from: 0.90ubuntu0.10]
update-manager-core/xenial-updates 1:16.04.17 all [upgradable from: 1:16.04.13]
update-notifier-common/xenial-updates 3.168.15 all [upgradable from: 3.168.8]
ureadahead/xenial-updates 0.100.0-19.1 amd64 [upgradable from: 0.100.0-19]
util-linux/xenial-updates 2.27.1-6ubuntu3.10 amd64 [upgradable from: 2.27.1-6ubuntu3.4]
uuid-runtime/xenial-updates 2.27.1-6ubuntu3.10 amd64 [upgradable from: 2.27.1-6ubuntu3.4]
vlan/xenial-updates 1.9-3.2ubuntu1.16.04.5 amd64 [upgradable from: 1.9-3.2ubuntu1.16.04.4]
Can you point any evidence responsible for curl not working with the longer chain on that list?
If so, how can i update without breaking everything up? Any tips?
I'd update:
curl/xenial-updates,xenial-security 7.47.0-1ubuntu2.19 amd64 [upgradable from: 7.47.0-1ubuntu2.18]
libcurl3/xenial-updates,xenial-security 7.47.0-1ubuntu2.19 amd64 [upgradable from: 7.47.0-1ubuntu2.18]
libcurl3-gnutls/xenial-updates,xenial-security 7.47.0-1ubuntu2.19 amd64 [upgradable from: 7.47.0-1ubuntu2.18]
libssl1.0.0/xenial-updates,xenial-security 1.0.2g-1ubuntu4.20 amd64 [upgradable from: 1.0.2g-1ubuntu4.18]
[if not all of them]
Ok. I'll evaluate the best way to update the critical ones without breaking anything.
I'll let you know if it works after the updates.
Thanks in advance.
I use ubuntu LTS and I install all updates as a routine and my portfolio of sites are all still working fine
Hi All,
The issuer is still "CN = DST Root CA X3" after we did certbot --preferred-chain "ISRG Root X1".
We were having problem logging into our Dovecot Imap server. We got this message:
"sslv3 alert certificate expired: SSL alert number 45".
We found out that it was caused by the expiry of the DST Root CA X3 CA certificate and so we did this:
After that, we got this Dove imap-login error: "tlsv1 alert unknown ca: SSL alert".
Before we did the above steps 1 and 2, we ran openssl s_client -connect server:993 and got this:
root@server2:/# openssl s_client -connect server2.example1.com:993 -servername server2.example1.com
CONNECTED(00000003)
depth=3 O = Digital Signature Trust Co., CN = DST Root CA X3
verify error:num=10:certificate has expired
notAfter=Sep 30 14:01:15 2021 GMT
Certificate chain
0 s:/CN=server2.example1.com
i:/C=US/O=Let's Encrypt/CN=R3
1 s:/C=US/O=Let's Encrypt/CN=R3
i:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
2 s:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
i:/O=Digital Signature Trust Co./CN=DST Root CA X3
After we did the above steps 1 and 2, we got this
root@server2:/# openssl s_client -connect server2.example1.com:993 -servername server2.example1.com
CONNECTED(00000003)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify error:num=2:unable to get issuer certificate
issuer= O = Digital Signature Trust Co., CN = DST Root CA X3
Certificate chain
0 s:/CN=server2.example1.com
i:/C=US/O=Let's Encrypt/CN=R3
1 s:/C=US/O=Let's Encrypt/CN=R3
i:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
The issuer is still CN = DST Root CA X3 even though the Certificate chain does not have DST Root CA X3 anymore.
We re-ran dpkg-reconfigure ca-certificates and selected mozilla/DST_Root_CA_X3.crt, and now the Dove imap-login error
is back to "sslv3 alert certificate expired".
root@server2:/# openssl s_client -connect server2.example1.com:993 -servername server2.example1.com
CONNECTED(00000003)
depth=3 O = Digital Signature Trust Co., CN = DST Root CA X3
verify error:num=10:certificate has expired
notAfter=Sep 30 14:01:15 2021 GMT
Certificate chain
0 s:/CN=server2.example1.com
i:/C=US/O=Let's Encrypt/CN=R3
1 s:/C=US/O=Let's Encrypt/CN=R3
i:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
root@server2:/# openssl s_client -connect server2.example1.com:443 -servername server2.example1.com
CONNECTED(00000003)
depth=3 O = Digital Signature Trust Co., CN = DST Root CA X3
verify error:num=10:certificate has expired
notAfter=Sep 30 14:01:15 2021 GMT
We don't get any problem with our website which uses the same SSL certificate even though the openssl s_client -connect command above shows
the issuer as CN = DST Root CA X3. But in the Chrome and Edge browsers, the Certification Path only shows ISRG Root X1 as the root CA.
Thank you very much in anticipation
Hi @functioneer and welcome to the LE community forum 
[and Merry Christmas (to all that celebrate that today)]
After each successful certificate renewal, all programs that were using the old cert must be restarted/reloaded so that they will use the new cert.
You must have done that with your web service (and that is now working as expected).
But you also need to do that with your email service too.
Thank you for the fast reply [rg305]!
We did restart the Dovecot service (as well as postfix and Apache) and even rebooted the server but all to no avail.
As mentioned, before we did certbot with --preferred-chain "ISRG Root X1", we got the levels of Certificate Chain with DST Root CA X3 at the third level.
After doing certbot --preferred-chain "ISRG Root X1", there are now two levels in the Certificate Chain with ISRG Root X1 at the second level.
But when the issuer line of the openssl s_client -connect out still shows this:
issuer= O = Digital Signature Trust Co., CN = DST Root CA X3
Before --preferred-chain "ISRG Root X1":
root@server2:/# openssl s_client -connect server2.example1.com:993 -servername server2.example1.com
CONNECTED(00000003)
depth=3 O = Digital Signature Trust Co., CN = DST Root CA X3
verify error:num=10:certificate has expired
notAfter=Sep 30 14:01:15 2021 GMT
Certificate chain
0 s:/CN=server2.example1.com
i:/C=US/O=Let's Encrypt/CN=R3
1 s:/C=US/O=Let's Encrypt/CN=R3
i:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
2 s:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
i:/O=Digital Signature Trust Co./CN=DST Root CA X3
After we did the above steps 1 and 2, we got this
After --preferred-chain "ISRG Root X1":
root@server2:/# openssl s_client -connect server2.example1.com:993 -servername server2.example1.com
CONNECTED(00000003)
depth=3 O = Digital Signature Trust Co., CN = DST Root CA X3
verify error:num=10:certificate has expired
notAfter=Sep 30 14:01:15 2021 GMT
Certificate chain
0 s:/CN=server2.example1.com
i:/C=US/O=Let's Encrypt/CN=R3
1 s:/C=US/O=Let's Encrypt/CN=R3
i:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
But mysteriously, today the issuer of the openssl s_client out is now correct ISRG Root X1.
Yesterday:
root@server2:/# openssl s_client -connect server2.example1.com:993 -servername server2.example1.com
CONNECTED(00000003)
depth=3 O = Digital Signature Trust Co., CN = DST Root CA X3
verify error:num=10:certificate has expired
notAfter=Sep 30 14:01:15 2021 GMT
Certificate chain
0 s:/CN=server2.example1.com
i:/C=US/O=Let's Encrypt/CN=R3
1 s:/C=US/O=Let's Encrypt/CN=R3
i:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
root@server2:/# openssl s_client -connect server2.example1.com:443 -servername server2.example1.com
CONNECTED(00000003)
depth=3 O = Digital Signature Trust Co., CN = DST Root CA X3
verify error:num=10:certificate has expired
notAfter=Sep 30 14:01:15 2021 GMT
Certificate chain
0 s:/CN=server2.example1.com
i:/C=US/O=Let's Encrypt/CN=R3
1 s:/C=US/O=Let's Encrypt/CN=R3
i:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
Today:
root@server2:/# openssl s_client -connect server2.example1.com:993 -servername server2.example1.com
CONNECTED(00000003)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = server2.example1.com
verify return:1
Certificate chain
0 s:/CN=server2.example1.com
i:/C=US/O=Let's Encrypt/CN=R3
1 s:/C=US/O=Let's Encrypt/CN=R3
i:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
root@server2:/# openssl s_client -connect server2.example1.com:443 -servername server2.example1.com
CONNECTED(00000003)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = server2.example1.com
verify return:1
Certificate chain
0 s:/CN=server2.example1.com
i:/C=US/O=Let's Encrypt/CN=R3
1 s:/C=US/O=Let's Encrypt/CN=R3
i:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
So everything is fine now but we don't know what happened. Maybe some caching somewhere? Thank you once again Rudy.
2 posts were split to a new topic: Problem with LE certificate
2 posts were split to a new topic: Verifying a certificate