Control Web Panel

WebPanel => SSL => Topic started by: rustylh on October 02, 2021, 09:14:51 PM

Title: Let's Encrypt DST Root CA X3 expiry Sept 30th 2021
Post by: rustylh on October 02, 2021, 09:14:51 PM
Having issues with some of my Websites giving me CA Cert errors since "Let's Encrypt DST Root CA X3 expiry Sept 30th 2021"

A Certificate Authority verified SSL certificate was not detected on "Website URL".
Title: Re: Let's Encrypt DST Root CA X3 expiry Sept 30th 2021
Post by: studio4host on October 03, 2021, 11:22:55 AM
On centos 7/8
yum update ca-certificates

Note your browser also needs to be updated
Title: Re: Let's Encrypt DST Root CA X3 expiry Sept 30th 2021
Post by: Biswashost on October 03, 2021, 06:19:44 PM
@sutdiohost, thank you so much.
Title: Re: Let's Encrypt DST Root CA X3 expiry Sept 30th 2021
Post by: Freespirits_GR_Host on October 07, 2021, 07:46:53 PM
Hello everybody

I used the above command using putty
Code: [Select]
yum update ca-certificates

The result was the following


Code: [Select]
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
 * base: ftp.plusline.net
 * epel: mirrors.xtom.de
 * extras: mirror.23m.com
 * updates: mirror.cuegee.com
varnishcache_varnish5/x86_64/signature                   |  836 B     00:00
varnishcache_varnish5/x86_64/signature                   | 1.0 kB     00:00 !!!
varnishcache_varnish5-source/signature                   |  836 B     00:00
varnishcache_varnish5-source/signature                   | 1.0 kB     00:00 !!!
No packages marked for update

I removed the certificate from the domain and install it again but the problem persists.
Is there a manual way to remove DST Root CA X3 or a workaround?

Thank you in advance.  :)
Title: Re: Let's Encrypt DST Root CA X3 expiry Sept 30th 2021
Post by: _PN_boy on October 08, 2021, 06:38:31 PM
Code: [Select]
/root/.acme.sh/acme.sh --set-default-chain --preferred-chain  "ISRG Root X1"should fix, after reissuing the certificates

this fixes when older clients are connecting to cwp
Title: Re: Let's Encrypt DST Root CA X3 expiry Sept 30th 2021
Post by: Freespirits_GR_Host on October 08, 2021, 07:36:11 PM
I tested the command

Code: [Select]
/root/.acme.sh/acme.sh --set-default-chain --preferred-chain  "ISRG Root X1"

Deleted certificate and reissue. The problem is that to some computers and browsers you get the ISRG Root X1  as root certificate and everything works fine but to other you see the DST Root CA X3 as root certificate so that causes the unsecure connection and ssl expired.

1. Tried to delete cookies
2. Sync time
3. Reset explorer and SSL certificates
4. Removed manually the DST Root CA X3 from browser but when you open website you see the DST Root CA X3 back in certificates.
5. Tested with latest firefox and chrome ver. 94.04606.81

Title: Re: Let's Encrypt DST Root CA X3 expiry Sept 30th 2021
Post by: Freespirits_GR_Host on October 08, 2021, 09:50:13 PM
Finally _PN_boy everything worked perfect with the following command.

Quote
/root/.acme.sh/acme.sh --set-default-chain --preferred-chain  "ISRG Root X1"

The chain is recreated after deleting the certificate and re-issue it. That has to be done for all hosted domains.

Just you have to recache https://www.sslshopper.com/ssl-checker.html to be able to confirm.

For the browsers of some clients and some computers that was not updated you have to insert the certificate manual.

https://freespirits.gr/knowledge-base/58-liksi-dst-root-ca-x3-sfalma-mi-egkyrou-pistopoiitikoy-kai-syndesis-sto-chrome

Thank you very much. Now everything works perfect and i got a solution for my clients in Greek market :). Hope that post will help more people.