Member-only story
Fix Expired Let’s Encrypt 9/30
A quick, plain English fix and explanation of the Let’s Encrypt expiring root certificate issue for clients + users
Introduction
Here’s the deal, Let’s Encrypt uses a root CA certificate that is “cross-signed”. This basically means it’s like having 2 root CAs in 1, but your device only needs to trust 1 of them, not both.
This helped Let’s Encrypt when they started because DST Root CA X3 is older and was already trusted by most devices, and they could wait for their new cert, ISRG Root X1, to get added to most devices later.
DST Root CA X3 just expired and if your clients/users are seeing an expired certificate error (like ERR_CERT_DATE_INVALID), then it’s for one of two reasons:
Fixing The Issue
The OpenSSL Bug
If your client is running an old OpenSSL version, there is a bug. It’s supposed to ignore the expired DST Root CA X3 since ISRG Root X1 is still valid, but unfortunately it doesn’t.
The hard way to fix this is upgrading your OpenSSL. The easy way to fix this is just to remove that certificate from the list of root CAs on your device.
On Amazon Linux, your root CAs can be found in two files at:
/etc/pki/tls/certs/ca-bundle.crt /etc/pki/tls/certs/ca-bundle.trust.crt
They’re all stored together. Search for DST Root CA X3 in both files and delete it.
On Ubuntu, your root CAs can be found at: /etc/ssl/certs
They’re stored individually. Do a ls -l | grep DST to find the expired certificate and remove those files.
etc. etc. Regardless of the OS, you just have to find the root CAs and remove DST Root CA X3 from them. (read the next section for where you can find them on MacOS, iPhone & Android).
Missing Root CA
Okay, this one is not great. It’s possible your device is missing theISRG Root X1 root certificate. Getting it on your device might be simple or not.
