Let’s Encrypt Root CA expired… What Next?
on September 30th Let’s Encrypt DST Root CA X3 Expired. Websites using Let’s Encrypt certificates did not observe much impact. As most of the Web browsers are already having Trusted ISRG Root X1. It’s Majorly applications that provide APIs to authenticate using certificates that are impacted. Below are the steps you can do to fix the issue
as Per Let’s Encrypt WebSite — https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/ “If you provide an API or have to support IoT devices, you’ll need to make sure of two things: (1) all clients of your API must trust ISRG Root X1 (not just DST Root CA X3), and (2) if clients of your API are using OpenSSL, they must use version 1.1.0 or later. In OpenSSL 1.0.x, a quirk in certificate verification means that even clients that trust ISRG Root X1 will fail when presented with the Android-compatible certificate chain we are recommending by default.”
However, the ISRG Root X1 certificate alone is not enough Below is the flow of the Let’sEncrypt chain of certificates Trust
Ref: https://letsencrypt.org/certificates/
You need ISRG Root X2 as well.
Fix:
To fix this you need to download
ISRG Root X1
ISRG Root X2
Intermediate Certificate R3
from https://letsencrypt.org/certificates/.
Merge these certificates and save them in .crt format. you should have the full certificate chain to validate the Let’s Encrypt certificates
Copy .crt file into your application server. If your application server is running in ubuntu 18.04 then the location of the ROOT CA will be
/usr/share/ca-certificates/mozilla/ISRG_Root_X1.crtRun update certificate command in the server
update-ca-certificatesThis should fix the Root CA expiration issue
