Help thread with cremationlab

Where do I get the DST_Root_CA_X3.pem file?

10 posts were split to a new topic: AWS with CentOS - tweaking configs

The only trustworthy !

1 Like

Hi @jsha ! almost a beta tester :sweat_smile:

Site: app.gesnex.com
OS: Amazon Linux AMI 2018.03
OpenSSL 1.0.2k-fips 26 Jan 2017

The another site www.gesnex.com is working fine, however under Amazon Linux 2 this solution worked fine: RHEL/CentOS 7 Fix for Let’s Encrypt Change | by Dorai Ashok S A | Sep, 2021 | Dev Genius ( trust dump --filter.... )

But with this one (app.gesnex.com), I blacklisted the cert ( /etc/pki/ca-trust/source/blacklist/DST-Root-CA-X3.pem ), updated with update-ca-trust but the command openssl s_client -connect app.gesnex.com:443 -servername gesnex.com still saying Verify return code: 10 (certificate has expired). The command trust do not exists.

it worked for @frsp1 to erase the cert editing the file, but when you block it (blacklist), I shouldn't be considered, it should not be necessary to remove it from the .pem/.crt files IMHO

Any ideas? :grimacing:

1 Like

That works for me:
[even with the matching servername]

openssl version
OpenSSL 1.1.1  11 Sep 2018
openssl s_client -connect app.gesnex.com:443 -servername gesnex.com
CONNECTED(00000005)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = app.gesnex.com
verify return:1
---
Certificate chain
 0 s:CN = app.gesnex.com
   i:C = US, O = Let's Encrypt, CN = R3
 1 s:C = US, O = Let's Encrypt, CN = R3
   i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
 2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1
   i:O = Digital Signature Trust Co., CN = DST Root CA X3
---

But it fails with:

openssl version
OpenSSL 1.0.1f 6 Jan 2014
openssl s_client -connect app.gesnex.com:443 -servername gesnex.com
CONNECTED(00000003)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
 0 s:/CN=app.gesnex.com
   i:/C=US/O=Let's Encrypt/CN=R3
 1 s:/C=US/O=Let's Encrypt/CN=R3
   i:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
 2 s:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3
---

Which version of OpenSSL are you using?

Yeah, you've got to get rid of your upper-level CA (X3). Here is the relevant info I get when I run:

openssl s_client -showcerts -connect app.gesnex.com:443 
CONNECTED(00000005)
depth=1 O = Digital Signature Trust Co., CN = DST Root CA X3
verify error:num=10:certificate has expired
notAfter=Sep 30 14:01:15 2021 GMT
verify return:0
depth=1 O = Digital Signature Trust Co., CN = DST Root CA X3
verify error:num=10:certificate has expired
notAfter=Sep 30 14:01:15 2021 GMT
verify return:0
depth=3 O = Digital Signature Trust Co., CN = DST Root CA X3
verify error:num=10:certificate has expired
notAfter=Sep 30 14:01:15 2021 GMT
verify return:0
---
Certificate chain
 0 s:/CN=app.gesnex.com
   i:/C=US/O=Let's Encrypt/CN=R3
-----BEGIN CERTIFICATE-----
MIIFQzCCBCugAwIBAgISBDMle2WKcts3tHOLEh//xmEMMA0GCSqGSIb3DQEBCwUA

Just to be clear, are you using acme or certbot?
Have you already done the CA blacklist as per my original post?
Does your cert (or chain) include the X3 CA?

@cremationlab
I can't find it online now, but here it is:

-----BEGIN CERTIFICATE-----
MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTAwMDkzMDIxMTIxOVoXDTIxMDkzMDE0MDExNVow
PzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQD
Ew5EU1QgUm9vdCBDQSBYMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
AN+v6ZdQCINXtMxiZfaQguzH0yxrMMpb7NnDfcdAwRgUi+DoM3ZJKuM/IUmTrE4O
rz5Iy2Xu/NMhD2XSKtkyj4zl93ewEnu1lcCJo6m67XMuegwGMoOifooUMM0RoOEq
OLl5CjH9UL2AZd+3UWODyOKIYepLYYHsUmu5ouJLGiifSKOeDNoJjj4XLh7dIN9b
xiqKqy69cK3FCxolkHRyxXtqqzTWMIn/5WgTe1QLyNau7Fqckh49ZLOMxt+/yUFw
7BZy1SbsOFU5Q9D8/RhcQPGX69Wam40dutolucbY38EVAjqr2m7xPi71XAicPNaD
aeQQmxkqtilX4+U9m5/wAl0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNV
HQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMSnsaR7LHH62+FLkHX/xBVghYkQMA0GCSqG
SIb3DQEBBQUAA4IBAQCjGiybFwBcqR7uKGY3Or+Dxz9LwwmglSBd49lZRNI+DT69
ikugdB/OEIKcdBodfpga3csTS7MgROSR6cz8faXbauX+5v3gTt23ADq1cEmv8uXr
AvHRAosZy5Q6XkjEGB5YGV8eAlrwDPGxrancWYaLbumR9YbK+rlmM6pZW87ipxZz
R8srzJmwN0jP41ZL9c8PDHIyh8bwRLtTcm1D9SZImlJnt1ir/md2cXjbDaJWFBM5
JDGFoqgCWjBH4d1QB7wCCZAA62RjYJsWvIjJEubSfZGL+T0yjWW06XyxV3bqxbYo
Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ
-----END CERTIFICATE-----

So I copy that into the path above and run that command, and will point me to the new root cert?

Or get it from here:
crt.sh | 8395

Which command above?

Where is my chain.pem file in centos and what would I delete?

I'm not sure I understand what you mean or want.
Which guide/instruction/post are you trying to follow?

Putting the pem file in the blacklist folder and running the update command

I'm truly sorry.
I must have looked at 1000 posts today...
Can you be a bit more specific?

2 Likes

https://community.letsencrypt.org/t/fixing-validation-from-centos-instances/161182?u=cremationlab

This thread is too damn convoluted

It says to remove the X3 mention from the chain.pem file

That depends on the ACME client used.
certbot saves it at:
/etc/letsencrypt/live/EXMAPLE.COM/chain.pem
acme.sh saves it at:
/roor/.acme.sh/EXAMPLE.COM/ca.cer

Where is this IT you speak of?
Again there were +1000 posts here today.

https://community.letsencrypt.org/t/fixing-validation-from-centos-instances/161182

Post by fsrp1

My server doesnt have /etc/letsencrypt or /root/.acme.sh

It uses Plesk if that matters

Looks like they are in /usr/local/psa/var/modules/letsencrypt

Well it should have a web server... which one is that?