Author Topic: Let's Encrypt DST Root CA X3 expiry Sept 30th 2021  (Read 6083 times)

0 Members and 1 Guest are viewing this topic.

Offline
*
Let's Encrypt DST Root CA X3 expiry Sept 30th 2021
« on: October 02, 2021, 09:14:51 PM »
Having issues with some of my Websites giving me CA Cert errors since "Let's Encrypt DST Root CA X3 expiry Sept 30th 2021"

A Certificate Authority verified SSL certificate was not detected on "Website URL".

Offline
*
Re: Let's Encrypt DST Root CA X3 expiry Sept 30th 2021
« Reply #1 on: October 03, 2021, 11:22:55 AM »
On centos 7/8
yum update ca-certificates

Note your browser also needs to be updated
VPS & Dedicated server provider with included FREE Managed support for CWP.
http://www.studio4host.com/

*** Don't allow that your server or website is down, choose hosting provider with included expert managed support for your CWP.

Offline
*
Re: Let's Encrypt DST Root CA X3 expiry Sept 30th 2021
« Reply #2 on: October 03, 2021, 06:19:44 PM »
@sutdiohost, thank you so much.
Biswas Host Ltd

www.biswashost.com

Domain, Hosting, Cloud Hosting, VPS, Dedicated Server,

Web Design, SSL, VPN, Professional Email & More

Offline
*
Re: Let's Encrypt DST Root CA X3 expiry Sept 30th 2021
« Reply #3 on: October 07, 2021, 07:46:53 PM »
Hello everybody

I used the above command using putty
Code: [Select]
yum update ca-certificates

The result was the following


Code: [Select]
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
 * base: ftp.plusline.net
 * epel: mirrors.xtom.de
 * extras: mirror.23m.com
 * updates: mirror.cuegee.com
varnishcache_varnish5/x86_64/signature                   |  836 B     00:00
varnishcache_varnish5/x86_64/signature                   | 1.0 kB     00:00 !!!
varnishcache_varnish5-source/signature                   |  836 B     00:00
varnishcache_varnish5-source/signature                   | 1.0 kB     00:00 !!!
No packages marked for update

I removed the certificate from the domain and install it again but the problem persists.
Is there a manual way to remove DST Root CA X3 or a workaround?

Thank you in advance.  :)
You need a reliable hosting company for your website or your eshop?
Need a cheap, reliable, fast and secure hosting?
You want fast support and action to every technical issue?
Freespirits is here for you :) - Don't look any further!

Offline
*
Re: Let's Encrypt DST Root CA X3 expiry Sept 30th 2021
« Reply #4 on: October 08, 2021, 06:38:31 PM »
Code: [Select]
/root/.acme.sh/acme.sh --set-default-chain --preferred-chain  "ISRG Root X1"should fix, after reissuing the certificates

this fixes when older clients are connecting to cwp

Offline
*
Re: Let's Encrypt DST Root CA X3 expiry Sept 30th 2021
« Reply #5 on: October 08, 2021, 07:36:11 PM »
I tested the command

Code: [Select]
/root/.acme.sh/acme.sh --set-default-chain --preferred-chain  "ISRG Root X1"

Deleted certificate and reissue. The problem is that to some computers and browsers you get the ISRG Root X1  as root certificate and everything works fine but to other you see the DST Root CA X3 as root certificate so that causes the unsecure connection and ssl expired.

1. Tried to delete cookies
2. Sync time
3. Reset explorer and SSL certificates
4. Removed manually the DST Root CA X3 from browser but when you open website you see the DST Root CA X3 back in certificates.
5. Tested with latest firefox and chrome ver. 94.04606.81

You need a reliable hosting company for your website or your eshop?
Need a cheap, reliable, fast and secure hosting?
You want fast support and action to every technical issue?
Freespirits is here for you :) - Don't look any further!

Offline
*
Re: Let's Encrypt DST Root CA X3 expiry Sept 30th 2021
« Reply #6 on: October 08, 2021, 09:50:13 PM »
Finally _PN_boy everything worked perfect with the following command.

Quote
/root/.acme.sh/acme.sh --set-default-chain --preferred-chain  "ISRG Root X1"

The chain is recreated after deleting the certificate and re-issue it. That has to be done for all hosted domains.

Just you have to recache https://www.sslshopper.com/ssl-checker.html to be able to confirm.

For the browsers of some clients and some computers that was not updated you have to insert the certificate manual.

https://freespirits.gr/knowledge-base/58-liksi-dst-root-ca-x3-sfalma-mi-egkyrou-pistopoiitikoy-kai-syndesis-sto-chrome

Thank you very much. Now everything works perfect and i got a solution for my clients in Greek market :). Hope that post will help more people.
You need a reliable hosting company for your website or your eshop?
Need a cheap, reliable, fast and secure hosting?
You want fast support and action to every technical issue?
Freespirits is here for you :) - Don't look any further!