Learn Docker With My Newest Course

Dive into Docker takes you from "What is Docker?" to confidently applying Docker to your own projects. It's packed with best practices and examples. Start Learning Docker →

Updated on November 30th, 2021 in #lets-encrypt, #linux

Fix a Let's Encrypt Related Expired Root Certificate on an Old Server

blog/cards/fix-a-lets-encrypt-related-expired-root-certificate-on-an-old-server.jpg

If you have a server with OpenSSL 1.0.x you may have been unable to renew your SSL certificates after September 29th 2021.

Quick Jump: Demo Video

Let’s Encrypt has talked about using their own ISRG Root X1 certificate since April 2019.

The short version is if you’re running a server that uses OpenSSL 1.0.x chances are you started to see errors similar to curl: (60) SSL certificate problem: certificate has expired when trying to contact sites that happen to use Let’s Encrypt to issue their SSL certs.

This becomes a chicken / egg problem if you need to renew your own Let’s Encrypt issued SSL certificates because in order to download Let’s Encrypt’s intermediate certificate you need to contact Let’s Encrypt over HTTPS which in itself uses a Let’s Encrypt issued certificate.

The fix is painless and you can hotfix an older server without downtime. Here’s how:

Demo Video

Commands Run

# Check your OpenSSL version (1.1+ is safe and you don't need to do anything):
$ openssl version

# Check 2 different root certificate's expiration dates:
$ cd /etc/ssl/certs

# The old root certificate:
$ openssl x509 -enddate -noout -in DST_Root_CA_X3.pem
notAfter=Sep 30 14:01:15 2021 GMT

# The new root certificate:
$ openssl x509 -enddate -noout -in ISRG_Root_X1.pem
notAfter=Jun  4 11:04:38 2035 GMT

# Fix the issue by commenting out the old root certificate:
sed -i '/^mozilla\/DST_Root_CA_X3/s/^/!/' /etc/ca-certificates.conf \
  && update-ca-certificates -f

Timestamps

  • 0:14 – Modern systems aren’t affected
  • 0:31 – This issue prevented me from renewing a Let’s Encrypt certificate
  • 0:59 – Let’s Encrypt moved to a new ISRG Root X1 certificate
  • 1:55 – Using Docker to emulate the problem on an older version of Debian
  • 2:56 – Demonstrating the problem
  • 3:17 – Checking the expiration dates of the old DST and new ISRG root certs
  • 5:26 – Finding a solution on StackOverflow and following the instructions
  • 7:09 – Confirming it works after editing /etc/ca-certificates.conf
  • 7:35 – This has been a sign that it’s probably time to upgrade my server

Have you ever had a similar issue happen in the past? Let me know below.

Never Miss a Tip, Trick or Tutorial

Like you, I'm super protective of my inbox, so don't worry about getting spammed. You can expect a few emails per month (at most), and you can 1-click unsubscribe at any time. See what else you'll get too.

Comments