Let's Encrypt DST Root CA X3 expiry Sept 30th 2021

Having issues with some of my Websites giving me CA Cert errors since "Let's Encrypt DST Root CA X3 expiry Sept 30th 2021"

A Certificate Authority verified SSL certificate was not detected on "Website URL".

On centos 7/8
yum update ca-certificates

Note your browser also needs to be updated

@sutdiohost, thank you so much.

Hello everybody

I used the above command using putty

Code: [Select]

yum update ca-certificates

The result was the following

Code: [Select]

Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
 * base: ftp.plusline.net
 * epel: mirrors.xtom.de
 * extras: mirror.23m.com
 * updates: mirror.cuegee.com
varnishcache_varnish5/x86_64/signature                   |  836 B     00:00
varnishcache_varnish5/x86_64/signature                   | 1.0 kB     00:00 !!!
varnishcache_varnish5-source/signature                   |  836 B     00:00
varnishcache_varnish5-source/signature                   | 1.0 kB     00:00 !!!
No packages marked for update
I removed the certificate from the domain and install it again but the problem persists.
Is there a manual way to remove DST Root CA X3 or a workaround?

Thank you in advance. 

Code: [Select]

/root/.acme.sh/acme.sh --set-default-chain --preferred-chain  "ISRG Root X1"should fix, after reissuing the certificates

this fixes when older clients are connecting to cwp

I tested the command

Code: [Select]

/root/.acme.sh/acme.sh --set-default-chain --preferred-chain  "ISRG Root X1"

Deleted certificate and reissue. The problem is that to some computers and browsers you get the ISRG Root X1  as root certificate and everything works fine but to other you see the DST Root CA X3 as root certificate so that causes the unsecure connection and ssl expired.

1. Tried to delete cookies
2. Sync time
3. Reset explorer and SSL certificates
4. Removed manually the DST Root CA X3 from browser but when you open website you see the DST Root CA X3 back in certificates.
5. Tested with latest firefox and chrome ver. 94.04606.81

Finally _PN_boy everything worked perfect with the following command.

/root/.acme.sh/acme.sh --set-default-chain --preferred-chain  "ISRG Root X1"

The chain is recreated after deleting the certificate and re-issue it. That has to be done for all hosted domains.

Just you have to recache https://www.sslshopper.com/ssl-checker.html to be able to confirm.

For the browsers of some clients and some computers that was not updated you have to insert the certificate manual.

https://freespirits.gr/knowledge-base/58-liksi-dst-root-ca-x3-sfalma-mi-egkyrou-pistopoiitikoy-kai-syndesis-sto-chrome

Thank you very much. Now everything works perfect and i got a solution for my clients in Greek market . Hope that post will help more people.