Friday, October 1, 2021

DST Root CA X3 Expiration (30 September 2021)

 

According to the given information in Let's Encrypt Official site which is reachable at the following url https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/ the important message is From Sept 30th 2021 Let's Encrypts previous root certificate DST Root CA X3 (and it's R3 intermediate) will expire. It has been replaced by their ISRG Root X1 certificate (and replacement R3 intermediate).


The impact of this expired root certificate may cause your server or some of your users will experience the following error message at their browser :

Your connection is not private
Attackers might be trying to steal your information from {domain name}.

NET::ERR_CERT_AUTHORITY_INVALID
NET::ERR_CERT_DATE_INVALID


To fix this issue from the server sider, we need to remove and disable the DST_Root_CA_X3:

# Find DST_Root_CA_X3 location :
root@localhost:~# locate DST_Root_CA_X3.crt
/usr/share/ca-certificates/mozilla/DST_Root_CA_X3.crt

# Remove DST_Root_CA_X3 :
root@localhost:~# rm /usr/share/ca-certificates/mozilla/DST_Root_CA_X3.crt

# Edit ca-certificates list :
root@localhost:~#  vi /etc/ca-certificates.conf
# Find mozilla/DST_Root_CA_X3.crt and disable it 
!mozilla/DST_Root_CA_X3.crt

# Then update CA
root@ssocon:~# update-ca-certificates
Updating certificates in /etc/ssl/certs...
0 added, 1 removed; done.

Or you can simply reboot your server.

For client side simply ask them to update their browser version and also add/update the following certificates :

Root CA Certificates :

ISRG Root X1 : PEM Format | DER Format
ISRG Root X2 : PEM Format | DER Format

Intermediate Certificate :

Lets Encrypt R3 : PEM Format | DER Format

I hope this information will be useful.



40 Hadist Seputar Keluarga Samawa (Bagian 3)

 ﷽ Ustadz Yusuf Abu Ubaidah As-Sidawi hafizahullohuta'ala Masjid Al-Aziz  Jl. Soekarno Hatta No. 662 Bandung Hadist 11 : Doa Orangtua Bu...