The expiring Let’s Encrypt DST Root CA X3 can cause problems on old servers:
root@server:/etc# wget https://www.example.com/monitoring --2021-09-30 21:34:39-- https://www.example.com/monitoring Resolving www.example.com (www.example.com)... 93.184.216.34 Connecting to www.example.com (www.example.com)|93.184.216.34|:443... connected. ERROR: The certificate of `www.example.com' is not trusted.
Fortunately there is an easy workaround to ensure the expired chain is not checked.
According to my understanding the issue on some old systems (like Debian wheezy) comes from the old OpenSSL 1.0.1 version which only tries to validate the expired trust chain.
This can be avoided by removing DST Root CA X3 from the systems ca certificates:
- Edit
/etc/ca-certificates.confand put a bang/exclamation mark (!) before mozilla/DST_Root_CA_X3.crt - Run
update-ca-certificates
Note: This applies to clients that cannot connect to a server using a Let’s Encrypt certificate. It is not a solution for a server using a Let’s Encrypt certificate.
(Based on https://www.agwa.name/blog/post/fixing_the_addtrust_root_expiration)
The expiration is announced here:
https://community.letsencrypt.org/t/production-chain-changes/150739
There is a help thread with additional informations:
https://community.letsencrypt.org/t/help-thread-for-dst-root-ca-x3-expiration-september-2021/149190