SSL Expriry Issue

We have found that issue in SSL certificate with the proxied domain, universal certificate got renewed yesterday morning, When we are checking open ssl that says it has expired, Can you please check for the issue.

CONNECTED(00000006)
depth=1 O = Digital Signature Trust Co., CN = DST Root CA X3
verify error:num=10:certificate has expired
notAfter=Sep 30 14:01:15 2021 GMT
verify return:0
depth=1 O = Digital Signature Trust Co., CN = DST Root CA X3
verify error:num=10:certificate has expired
notAfter=Sep 30 14:01:15 2021 GMT
verify return:0
depth=4 O = Digital Signature Trust Co., CN = DST Root CA X3
verify error:num=10:certificate has expired
notAfter=Sep 30 14:01:15 2021 GMT
verify return:0

After disable cloudflare proxied, it started working fine. can you check why it's happen after yesterday certificate renewal.

Hello, and welcome.

We need your domain name to check stuff. Also, your OS and openssl versions will be useful.

(I mean, your client OS and OpenSSL versions)

2 Likes

The "DST Root CA X3" certificate has indeed expired. This is intended, it won't be renewed. Please see"

3 Likes

clinet os is ubuntu 14.04 and open ssl version OpenSSL 1.0.1f

Wtf. That is too old.

Yeah, that error sounds expected.

Check if ISRG Root X1 is present in your system root store.

2 Likes

Yes this is avaibale

Then openssl should not have any issue with that chain. Unless 1.0.1f is one of the old versions that has issues with the "long" chain: Long (default) and Short (alternate) Certificate Chains Explained

Yes, it's this issue (they speak of 1.0.2 but it should be compatible):

In OpenSSL 1.0.x, a quirk in certificate verification means that even clients that trust ISRG Root X1 will fail when presented with the Android-compatible certificate chain we are recommending by default. #

2 Likes

Based on best information available to me (DST Root CA X3 expiry countdown - #24 by xnox), Ubuntu 14.04 will only validate Let's Encrypts chain if you have access to Ubuntu Extended Security Maintenance (ESM).

I did receive reports multiple months ago that Ubuntu 14.04 without ESM did not work. A Ubuntu 16.04 docker container did work (if ca-certificates was fully up to date) even without ESM (which was kinda surprising because xnox stated ESM would be required).

OpenSSL 1.0.1 is in general much more tricky than 1.0.2, because the documented workarounds (remove the old root) are only available on 1.0.2. However Ubuntu does have backported patches to 1.0.1, so Ubuntu is a bit special - with ESM it should work.

If you have access to ESM, ensure that your Ubuntu system is fully updated (especially openssl, libssl and ca-certificates).

Also note that this only matters if your Ubuntu 14.04 system is making outbound TLS client connections to servers using Let's Encrypts long chain. This issue does not matter if you are only hosting a TLS server and clients connecting to you are not using Ubuntu 14.04.

6 Likes

You could try switching to another FREE CA.

3 Likes

Moving to the short chain is a valid solution as well.

But the proper one is upgrading the client.

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.