[Awesome Security] DST Root CA X3 Expiration and use ISRG Root X1 - Let’s Encrypt SSL certificate
DST Root CA X3 Expiration and use ISRG Root X1
Update September 30, 2021 As planned, the DST Root CA X3 cross-sign has expired, and we’re now using our own ISRG Root X1 for trust on almost all devices. For more details about the plan, keep reading! We have also updated our Production Chain Changes thread on our community forum - our team and community are here and ready to help with any questions you may have about this expiration.
On September 30 2021, there will be a small change in how older browsers and devices trust Let’s Encrypt certificates. If you run a typical website, you won’t notice a difference - the vast majority of your visitors will still accept your Let’s Encrypt certificate. If you provide an API or have to support IoT devices, you might have to pay a little more attention to the change.
Test the DST Root CA X3 cross-sign
DST Root CA X3 cross-sign has expired
yum install -y ca-certificates
Fix forDebian, Ubuntu by commenting
Install ca-certificates package
sudo apt install -y ca-certificates
Comment /mozilla/DST_Root_CA_X3.crt from /etc/ca-certificates.conf
sudo sed -i '/^mozilla\/DST_Root_CA_X3.crt$/ s/^/!/' /etc/ca-certificates.conf
Update ca-certificates with update-ca-certificates
Test the ISRG Root X1 Certificate.
ISRG Root X1
 DST Root CA X3 Expiration (September 2021) - Let’s Encrypt - https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/
 How to force older debian to forget about DST Root CA X3 Expiration and use ISRG Root X1 - SSL certificate problem: certificate has expired - Stack Overflow - https://stackoverflow.com/questions/69408776/how-to-force-older-debian-to-forget-about-dst-root-ca-x3-expiration-and-use-isrg