I've been aware of the upcoming expiry of the DST Root CA X3 certificate which expired on 30th September 2021. My ISPconfig install has continued to renew and produce certificates via LE, but it looks like it's continuing to use the old certificate chain going back to the now expired root CA. Here's a typical chain in all my created / renewed certificates as shown by FileZilla: 0 - server certificate ok 1 - Intermediate 1 -> R3 Let's Encrypt - expiring 15/09/2025 2 - Intermediate 2 -> ISRG Root X1 - expiring 30/09/2024 3 - Root -> DST Root CA X3 - expired 30/09/2021 I've read about the issue, LE have detailed it here: https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/ What I don't understand is according to the signing chain detailed here: https://letsencrypt.org/certificates/ the cross-signing doesn't appear to be working, used or recognised. HTTPS certificates seem to be OK when used with Firefox and chrome. FTP is OK when used with FlashFXP. But when using FileZilla, it complains about the expired DST Root CA X3 certificate. So is there something I should do about it? Is it something that should go away in the near future during a renewal? I'm not too worried about it apart from when a client wants to use FileZilla and gets the warnings about the expired root used in the chain.
Are you using an older Debian or Ubuntu version? Then please see here: https://www.howtoforge.com/communit...-expiration-september-2021.87761/#post-427870
It's a Linode running Ubuntu 20.04.3 LTS, certbot 0.40.0-1ubuntu0.1, ISPC 3.2.5 I wondered if a stupid mistake in the chaining of the actual certificate files to create the PEM, but that's OK, I have my private key + certificate + R3 intermediate + ISRG X1 root. There's no mention in there of the DST Root CA X3. This would suggest the problem is with the software (FileZilla), but having quickly searched, FileZilla does not come with any certificate information, so not sure where this DST Root CA X3 is coming from.
If someone has a problem with the certificate in the root chain and wants to permanently fix the issue with expired DST Root CA X3, just change the preferred chain from the default DST Root CA X3 to ISRG Root X1. Commands: Code: acme.sh --set-default-chain --preferred-chain "ISRG" --server letsencrypt After this renew cert in production server Code: acme.sh --renew --domian n1.domain.com --force [replace n1.domain.com to your hostname domain].
