Struggling to get new ISRG root certificate to be recognized in Ubuntu 16

alexweissman · October 16, 2021, 2:00am

I have two separate servers, one for self-hosted mail (with Mail-in-a-box) and one for my web server (with an application that uses PHPMailer), both running Ubuntu 16.04 and using LE. Like many others, I got bitten when the old DST Root CA X3 certificate expired last month. Specifically, my mail server began rejecting outgoing mail from the client - in this case my web server. I found the postfix error in my mail logs:

warning: TLS library problem: error:14094415:SSL routines:ssl3_read_bytes:sslv3 alert certificate expired

and after some googling eventually traced it back to the root cert expiring (see Let's Encrypt's Root Certificate is expiring!).

I tried a few things, including:

Updating the version of openssl on my web server (from 1.0.2g to 1.1.1k)
Checking the version of openssl on my mail server (it's also running 1.1.1)
Removing the old DST certificate from my web server's /etc/ca-certificates.conf list and rebuilding with dpkg-reconfigure -fnoninteractive ca-certificates and update-ca-certificates

Now I get a slightly different error from postfix on my mail server:

TLS library problem: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca.

I tried running the following command on my web server:

openssl s_client -connect mymailserver.com:587 -servername mymailserver.com -starttls smtp

And I get the following:

CONNECTED(00000003)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = mymailserver.com
verify return:1
---
Certificate chain
 0 s:CN = mymailserver.com
   i:C = US, O = Let's Encrypt, CN = R3
 1 s:C = US, O = Let's Encrypt, CN = R3
   i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
 2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1
   i:O = Digital Signature Trust Co., CN = DST Root CA X3
---

Is this a problem on my web server, mail server, or both? What else do I need to do to fix it?

rg305 · October 16, 2021, 4:02am

Hi @alexweissman and welcome to the LE community forum

alexweissman:

And I get the following:

CONNECTED(00000003)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = mymailserver.com
verify return:1

That is actually as good as it can get (using the long/default chain).
OpenSSL is showing "`verify return:1" on all.

If you don't service any older Android systems, you could try switching to the shorter/alternate chain.

rg305 · October 16, 2021, 4:04am

Why not run that interactively?
dpkg-reconfigure ca-certificates
You would get to see which certs are there and choose which to include/exclude.

alexweissman · October 16, 2021, 4:14am

Thanks for your help. Which certs should I exclude to force openssl to use the shorter chain? It looks like DST_Root_CA_X3.crt is still excluded according to the ca-certificates tool, but I need to exclude certain intermediate certs too right?

rg305 · October 16, 2021, 4:42am

No, only exclude "DST Root CA X3".
And ensure "ISRG Root X1" is included.

alexweissman · October 16, 2021, 3:03pm

Hmm, according to the tool I've correctly excluded the old cert and included the new one:

Processing triggers for ca-certificates (20210119~16.04.1) ...
Updating certificates in /etc/ssl/certs...
0 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...
done.

I saw a few recommendations to run c_rehash in my certs directory, so I tried that:

Doing /usr/lib/ssl/certs
WARNING: dhparam.pem does not contain a certificate or CRL: skipping
WARNING: Skipping duplicate certificate ca-certificates.crt
WARNING: Skipping duplicate certificate ca-certificates.crt

I feel like there must be something wonky or unusual about my configuration, especially since I've been using LE on this server almost from the beginning of LE. Or, there is something super obvious that I need to be doing that I haven't.

I also read something about cross-signed vs non-cross-signed versions of the ISRG cert. Is it possible that my web server and mail server have different versions of this cert, and that's why it's being rejected on the mail server? I tried running:

openssl x509 -text -in /etc/ssl/certs/ISRG_Root_X1.pem

on both machines, and they appear to be identical.

alexweissman · October 16, 2021, 3:08pm

Wait! It seems to be working now (i.e. my web server can now negotiate the TLS and authenticate with my mail server). It seems that just letting it sit overnight allowed it to find the alternate chain? Is there some kind of cert caching going on with openssl and Ubuntu that just needed to refresh?

At any rate, I appreciate your help!

system · November 15, 2021, 3:09pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Letsencrypt renews certificates incorrectly Help	5	726	March 5, 2022
Certificate has expired Help	5	1079	November 11, 2021
DST Root CA certificate not yet valid - Fixed Help	6	775	September 18, 2022
SSL Expriry Issue Help	10	2360	April 16, 2022
Broken links on doc page for DST Root CA X3 Expiration Site Feedback	7	2338	May 9, 2021

Struggling to get new ISRG root certificate to be recognized in Ubuntu 16

Related topics