Let's Encrypt and expired DST Root CA X3

Discussion in 'General' started by tfboy, Oct 2, 2021.

  1. tfboy

    tfboy Member

    I've been aware of the upcoming expiry of the DST Root CA X3 certificate which expired on 30th September 2021.
    My ISPconfig install has continued to renew and produce certificates via LE, but it looks like it's continuing to use the old certificate chain going back to the now expired root CA.
    Here's a typical chain in all my created / renewed certificates as shown by FileZilla:
    0 - server certificate ok
    1 - Intermediate 1 -> R3 Let's Encrypt - expiring 15/09/2025
    2 - Intermediate 2 -> ISRG Root X1 - expiring 30/09/2024
    3 - Root -> DST Root CA X3 - expired 30/09/2021
    I've read about the issue, LE have detailed it here: https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/
    What I don't understand is according to the signing chain detailed here: https://letsencrypt.org/certificates/ the cross-signing doesn't appear to be working, used or recognised.
    HTTPS certificates seem to be OK when used with Firefox and chrome.
    FTP is OK when used with FlashFXP. But when using FileZilla, it complains about the expired DST Root CA X3 certificate.
    So is there something I should do about it? Is it something that should go away in the near future during a renewal?
    I'm not too worried about it apart from when a client wants to use FileZilla and gets the warnings about the expired root used in the chain.
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    tfboy likes this.
  3. tfboy

    tfboy Member

    It's a Linode running Ubuntu 20.04.3 LTS, certbot 0.40.0-1ubuntu0.1, ISPC 3.2.5
    I wondered if a stupid mistake in the chaining of the actual certificate files to create the PEM, but that's OK, I have my private key + certificate + R3 intermediate + ISRG X1 root. There's no mention in there of the DST Root CA X3.
    This would suggest the problem is with the software (FileZilla), but having quickly searched, FileZilla does not come with any certificate information, so not sure where this DST Root CA X3 is coming from.
  4. Kris86

    Kris86 New Member

    If someone has a problem with the certificate in the root chain and wants to permanently fix the issue with expired DST Root CA X3, just change the preferred chain from the default DST Root CA X3 to ISRG Root X1.

    acme.sh --set-default-chain  --preferred-chain "ISRG"   --server  letsencrypt
    After this renew cert in production server
    acme.sh --renew --domian n1.domain.com --force
    [replace n1.domain.com to your hostname domain].

Share This Page