For those of you receiving the following error on Xamarin.Forms or .NET related apps using HttpClient along with a back-end using Certbot, I have found a fairly simple solution and a few workarounds.
I have been working on a Xamarin based app for the past few months. Lets Encrypt has made it a blast, however these past few days have not been. I was greeted with this error while trying to demonstrate my app:
Mono.Btls.MonoBtlsException: Ssl error:1000007d:SSL routines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED
I checked to make sure my cert was renewed (it was), then I used SSL Checker to ensure my chain was correct (it was)
- Google Pixel 3a XL
- Lineage OS 9 (Might be why the expired ca was not removed)
- Renewing certs with certbot
Solutions & Workarounds
So far in the GitHub thread, courtesy of Dalton, I have seen this solution for servers using certbot. There is an argument to prefer the new ISRG Root X1 CA:
--preferred-chain "ISRG Root X1"
certbot renew --preferred-chain "ISRG Root X1"
One thing to keep in mind is that when ISRG Root X1 inevitably expires September 30th 2024, you might need to modify the preferred chain to a new one.
After doing this, my new chain looks like this:
If this does not work, two workarounds are available.
One user on the GitHub says that manually removing the expired cert from the chain your server provides will fix the issue. Keep in mind you may have to manually update the fullchain when you renew your cert, unless you set the preferred CA.
The other workaround, that may or may not be viable, is to manually disable the expired DST Root CA X3 cert in the device settings. Trusted CAs are generally located here in the device settings:
Settings -> Security -> Encryption -> Trusted Credentials