[Awesome Security] DST Root CA X3 Expiration and use ISRG Root X1 - Let’s Encrypt SSL certificate

DST Root CA X3 Expiration and use ISRG Root X1


Update September 30, 2021 As planned, the DST Root CA X3 cross-sign has expired, and we’re now using our own ISRG Root X1 for trust on almost all devices. For more details about the plan, keep reading! We have also updated our Production Chain Changes thread on our community forum - our team and community are here and ready to help with any questions you may have about this expiration.


On September 30 2021, there will be a small change in how older browsers and devices trust Let’s Encrypt certificates. If you run a typical website, you won’t notice a difference - the vast majority of your visitors will still accept your Let’s Encrypt certificate. If you provide an API or have to support IoT devices, you might have to pay a little more attention to the change.

Test the DST Root CA X3 cross-sign

1
2
3
4
5
# DST Root CA X3 cross-sign has expired
$ curl https://<Your Site URL>
curl: (60) SSL certificate problem: certificate has expired

$ openssl s_client -showcerts -connect <Your Site URL>:443 | grep "Expired"

Solution

CentOS

1
$ yum install -y ca-certificates

Debian, Ubuntu

Fix forDebian, Ubuntu by commenting DST_Root_CA_X3.crt from /etc/ca-certificates.conf

Install ca-certificates package

1
$ sudo apt install -y ca-certificates

Comment /mozilla/DST_Root_CA_X3.crt from /etc/ca-certificates.conf

1
$ sudo sed -i '/^mozilla\/DST_Root_CA_X3.crt$/ s/^/!/' /etc/ca-certificates.conf

Update ca-certificates with update-ca-certificates

1
$ sudo update-ca-certificates

Test

Test the ISRG Root X1 Certificate.

1
2
3
4
5
# ISRG Root X1
$ curl https://<Your Site URL>

$ openssl s_client -showcerts -connect <Your Site URL>:443 | grep "verify"
verify return:1

Refenrences

[1] DST Root CA X3 Expiration (September 2021) - Let’s Encrypt - https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/

[2] How to force older debian to forget about DST Root CA X3 Expiration and use ISRG Root X1 - SSL certificate problem: certificate has expired - Stack Overflow - https://stackoverflow.com/questions/69408776/how-to-force-older-debian-to-forget-about-dst-root-ca-x3-expiration-and-use-isrg