Help thread for DST Root CA X3 expiration (September 2021)

Help
1370

Hi All,

The issuer is still "CN = DST Root CA X3" after we did certbot --preferred-chain "ISRG Root X1".

We were having problem logging into our Dovecot Imap server. We got this message:
"sslv3 alert certificate expired: SSL alert number 45".
We found out that it was caused by the expiry of the DST Root CA X3 CA certificate and so we did this:

  1. Ran dpkg-reconfigure ca-certificates and deselected mozilla/DST_Root_CA_X3.crt and installed mozilla/ISRG_Root_X1.crt.
  2. Ran certbot --preferred-chain "ISRG Root X1" and selected Renew & replace the certificate

After that, we got this Dove imap-login error: "tlsv1 alert unknown ca: SSL alert".

Before we did the above steps 1 and 2, we ran openssl s_client -connect server:993 and got this:
root@server2:/# openssl s_client -connect server2.example1.com:993 -servername server2.example1.com
CONNECTED(00000003)
depth=3 O = Digital Signature Trust Co., CN = DST Root CA X3
verify error:num=10:certificate has expired
notAfter=Sep 30 14:01:15 2021 GMT

Certificate chain
0 s:/CN=server2.example1.com
i:/C=US/O=Let's Encrypt/CN=R3
1 s:/C=US/O=Let's Encrypt/CN=R3
i:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
2 s:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
i:/O=Digital Signature Trust Co./CN=DST Root CA X3

After we did the above steps 1 and 2, we got this
root@server2:/# openssl s_client -connect server2.example1.com:993 -servername server2.example1.com
CONNECTED(00000003)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify error:num=2:unable to get issuer certificate
issuer= O = Digital Signature Trust Co., CN = DST Root CA X3

Certificate chain
0 s:/CN=server2.example1.com
i:/C=US/O=Let's Encrypt/CN=R3
1 s:/C=US/O=Let's Encrypt/CN=R3
i:/C=US/O=Internet Security Research Group/CN=ISRG Root X1

The issuer is still CN = DST Root CA X3 even though the Certificate chain does not have DST Root CA X3 anymore.

We re-ran dpkg-reconfigure ca-certificates and selected mozilla/DST_Root_CA_X3.crt, and now the Dove imap-login error
is back to "sslv3 alert certificate expired".

root@server2:/# openssl s_client -connect server2.example1.com:993 -servername server2.example1.com
CONNECTED(00000003)
depth=3 O = Digital Signature Trust Co., CN = DST Root CA X3
verify error:num=10:certificate has expired
notAfter=Sep 30 14:01:15 2021 GMT

Certificate chain
0 s:/CN=server2.example1.com
i:/C=US/O=Let's Encrypt/CN=R3
1 s:/C=US/O=Let's Encrypt/CN=R3
i:/C=US/O=Internet Security Research Group/CN=ISRG Root X1

root@server2:/# openssl s_client -connect server2.example1.com:443 -servername server2.example1.com
CONNECTED(00000003)
depth=3 O = Digital Signature Trust Co., CN = DST Root CA X3
verify error:num=10:certificate has expired
notAfter=Sep 30 14:01:15 2021 GMT

We don't get any problem with our website which uses the same SSL certificate even though the openssl s_client -connect command above shows
the issuer as CN = DST Root CA X3. But in the Chrome and Edge browsers, the Certification Path only shows ISRG Root X1 as the root CA.

Thank you very much in anticipation

1 Like
1371

Hi @functioneer and welcome to the LE community forum :slight_smile:
[and Merry Christmas (to all that celebrate that today)]

After each successful certificate renewal, all programs that were using the old cert must be restarted/reloaded so that they will use the new cert.
You must have done that with your web service (and that is now working as expected).
But you also need to do that with your email service too.

3 Likes
1372

Thank you for the fast reply [rg305]!

We did restart the Dovecot service (as well as postfix and Apache) and even rebooted the server but all to no avail.

As mentioned, before we did certbot with --preferred-chain "ISRG Root X1", we got the levels of Certificate Chain with DST Root CA X3 at the third level.
After doing certbot --preferred-chain "ISRG Root X1", there are now two levels in the Certificate Chain with ISRG Root X1 at the second level.
But when the issuer line of the openssl s_client -connect out still shows this:
issuer= O = Digital Signature Trust Co., CN = DST Root CA X3

Before --preferred-chain "ISRG Root X1":
root@server2:/# openssl s_client -connect server2.example1.com:993 -servername server2.example1.com
CONNECTED(00000003)
depth=3 O = Digital Signature Trust Co., CN = DST Root CA X3
verify error:num=10:certificate has expired
notAfter=Sep 30 14:01:15 2021 GMT
Certificate chain
0 s:/CN=server2.example1.com
i:/C=US/O=Let's Encrypt/CN=R3
1 s:/C=US/O=Let's Encrypt/CN=R3
i:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
2 s:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
i:/O=Digital Signature Trust Co./CN=DST Root CA X3
After we did the above steps 1 and 2, we got this

After --preferred-chain "ISRG Root X1":
root@server2:/# openssl s_client -connect server2.example1.com:993 -servername server2.example1.com
CONNECTED(00000003)
depth=3 O = Digital Signature Trust Co., CN = DST Root CA X3
verify error:num=10:certificate has expired
notAfter=Sep 30 14:01:15 2021 GMT

Certificate chain
0 s:/CN=server2.example1.com
i:/C=US/O=Let's Encrypt/CN=R3
1 s:/C=US/O=Let's Encrypt/CN=R3
i:/C=US/O=Internet Security Research Group/CN=ISRG Root X1

But mysteriously, today the issuer of the openssl s_client out is now correct ISRG Root X1.

Yesterday:
root@server2:/# openssl s_client -connect server2.example1.com:993 -servername server2.example1.com
CONNECTED(00000003)
depth=3 O = Digital Signature Trust Co., CN = DST Root CA X3
verify error:num=10:certificate has expired
notAfter=Sep 30 14:01:15 2021 GMT

Certificate chain
0 s:/CN=server2.example1.com
i:/C=US/O=Let's Encrypt/CN=R3
1 s:/C=US/O=Let's Encrypt/CN=R3
i:/C=US/O=Internet Security Research Group/CN=ISRG Root X1

root@server2:/# openssl s_client -connect server2.example1.com:443 -servername server2.example1.com
CONNECTED(00000003)
depth=3 O = Digital Signature Trust Co., CN = DST Root CA X3
verify error:num=10:certificate has expired
notAfter=Sep 30 14:01:15 2021 GMT

Certificate chain
0 s:/CN=server2.example1.com
i:/C=US/O=Let's Encrypt/CN=R3
1 s:/C=US/O=Let's Encrypt/CN=R3
i:/C=US/O=Internet Security Research Group/CN=ISRG Root X1

Today:

root@server2:/# openssl s_client -connect server2.example1.com:993 -servername server2.example1.com
CONNECTED(00000003)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = server2.example1.com
verify return:1

Certificate chain
0 s:/CN=server2.example1.com
i:/C=US/O=Let's Encrypt/CN=R3
1 s:/C=US/O=Let's Encrypt/CN=R3
i:/C=US/O=Internet Security Research Group/CN=ISRG Root X1

root@server2:/# openssl s_client -connect server2.example1.com:443 -servername server2.example1.com
CONNECTED(00000003)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = server2.example1.com
verify return:1

Certificate chain
0 s:/CN=server2.example1.com
i:/C=US/O=Let's Encrypt/CN=R3
1 s:/C=US/O=Let's Encrypt/CN=R3
i:/C=US/O=Internet Security Research Group/CN=ISRG Root X1

So everything is fine now but we don't know what happened. Maybe some caching somewhere? Thank you once again Rudy.

3 Likes
1373

2 posts were split to a new topic: Problem with LE certificate

1374

2 posts were split to a new topic: Verifying a certificate