Fix a Let's Encrypt Related Expired Root Certificate on an Old Server
If you have a server with OpenSSL 1.0.x you may have been unable to renew your SSL certificates after September 29th 2021.
Let’s Encrypt has talked about using their own ISRG Root X1 certificate since April 2019.
The short version is if you’re running a server that uses OpenSSL 1.0.x chances
are you started to see errors similar to curl: (60) SSL certificate problem: certificate has expired
when trying to contact sites that happen to use Let’s
Encrypt to issue their SSL certs.
This becomes a chicken / egg problem if you need to renew your own Let’s Encrypt issued SSL certificates because in order to download Let’s Encrypt’s intermediate certificate you need to contact Let’s Encrypt over HTTPS which in itself uses a Let’s Encrypt issued certificate.
The fix is painless and you can hotfix an older server without downtime. Here’s how:
# Demo Video
Commands Run
# Check your OpenSSL version (1.1+ is safe and you don't need to do anything):
$ openssl version
# Check 2 different root certificate's expiration dates:
$ cd /etc/ssl/certs
# The old root certificate:
$ openssl x509 -enddate -noout -in DST_Root_CA_X3.pem
notAfter=Sep 30 14:01:15 2021 GMT
# The new root certificate:
$ openssl x509 -enddate -noout -in ISRG_Root_X1.pem
notAfter=Jun 4 11:04:38 2035 GMT
# Fix the issue by commenting out the old root certificate:
sed -i '/^mozilla\/DST_Root_CA_X3/s/^/!/' /etc/ca-certificates.conf \
&& update-ca-certificates -f
Timestamps
- 0:14 – Modern systems aren’t affected
- 0:31 – This issue prevented me from renewing a Let’s Encrypt certificate
- 0:59 – Let’s Encrypt moved to a new ISRG Root X1 certificate
- 1:55 – Using Docker to emulate the problem on an older version of Debian
- 2:56 – Demonstrating the problem
- 3:17 – Checking the expiration dates of the old DST and new ISRG root certs
- 5:26 – Finding a solution on StackOverflow and following the instructions
- 7:09 – Confirming it works after editing /etc/ca-certificates.conf
- 7:35 – This has been a sign that it’s probably time to upgrade my server
Reference Links
Have you ever had a similar issue happen in the past? Let me know below.