Hi All,
The issuer is still "CN = DST Root CA X3" after we did certbot --preferred-chain "ISRG Root X1".
We were having problem logging into our Dovecot Imap server. We got this message:
"sslv3 alert certificate expired: SSL alert number 45".
We found out that it was caused by the expiry of the DST Root CA X3 CA certificate and so we did this:
- Ran dpkg-reconfigure ca-certificates and deselected mozilla/DST_Root_CA_X3.crt and installed mozilla/ISRG_Root_X1.crt.
- Ran certbot --preferred-chain "ISRG Root X1" and selected Renew & replace the certificate
After that, we got this Dove imap-login error: "tlsv1 alert unknown ca: SSL alert".
Before we did the above steps 1 and 2, we ran openssl s_client -connect server:993 and got this:
root@server2:/# openssl s_client -connect server2.example1.com:993 -servername server2.example1.com
CONNECTED(00000003)
depth=3 O = Digital Signature Trust Co., CN = DST Root CA X3
verify error:num=10:certificate has expired
notAfter=Sep 30 14:01:15 2021 GMT
Certificate chain
0 s:/CN=server2.example1.com
i:/C=US/O=Let's Encrypt/CN=R3
1 s:/C=US/O=Let's Encrypt/CN=R3
i:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
2 s:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
i:/O=Digital Signature Trust Co./CN=DST Root CA X3
After we did the above steps 1 and 2, we got this
root@server2:/# openssl s_client -connect server2.example1.com:993 -servername server2.example1.com
CONNECTED(00000003)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify error:num=2:unable to get issuer certificate
issuer= O = Digital Signature Trust Co., CN = DST Root CA X3
Certificate chain
0 s:/CN=server2.example1.com
i:/C=US/O=Let's Encrypt/CN=R3
1 s:/C=US/O=Let's Encrypt/CN=R3
i:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
The issuer is still CN = DST Root CA X3 even though the Certificate chain does not have DST Root CA X3 anymore.
We re-ran dpkg-reconfigure ca-certificates and selected mozilla/DST_Root_CA_X3.crt, and now the Dove imap-login error
is back to "sslv3 alert certificate expired".
root@server2:/# openssl s_client -connect server2.example1.com:993 -servername server2.example1.com
CONNECTED(00000003)
depth=3 O = Digital Signature Trust Co., CN = DST Root CA X3
verify error:num=10:certificate has expired
notAfter=Sep 30 14:01:15 2021 GMT
Certificate chain
0 s:/CN=server2.example1.com
i:/C=US/O=Let's Encrypt/CN=R3
1 s:/C=US/O=Let's Encrypt/CN=R3
i:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
root@server2:/# openssl s_client -connect server2.example1.com:443 -servername server2.example1.com
CONNECTED(00000003)
depth=3 O = Digital Signature Trust Co., CN = DST Root CA X3
verify error:num=10:certificate has expired
notAfter=Sep 30 14:01:15 2021 GMT
We don't get any problem with our website which uses the same SSL certificate even though the openssl s_client -connect command above shows
the issuer as CN = DST Root CA X3. But in the Chrome and Edge browsers, the Certification Path only shows ISRG Root X1 as the root CA.
Thank you very much in anticipation