search cancel

Let's Encrypt Issued Certificates - DST Root CA X3 Certificate Expiration (September 30, 2021)

book

Article ID: 225163

calendar_today

Updated On:

Products

ProxySG Software - SGOS

Issue/Introduction

Your request contacted a host which presented an expired or Invalid certificate when connecting to a site using a "Lets Encrypt" Issued Certificates.

Cause

DST Root CA X3 Expiration (September 30, 2021) and due to the cross signing nature of the certificate, the chain is being constructed with the expired cert. 

Resolution

You will need to remove the expired certificate from the Browser Trusted CCL and also the CA certificate list in the proxy. Below are the CLI commands to perform both functions. 

Blue Coat SG Series>en
Enable Password:
Blue Coat SG Series#
Blue Coat SG Series#conf t
Enter configuration commands, one per line.  End with CTRL-Z.
Blue Coat SG Series#(config)ssl
Blue Coat SG Series#(config ssl)edit ccl browser-trusted
Blue Coat SG Series#(config ssl ccl browser-trusted)remove DST_Root_CA_X3
  ok
Blue Coat SG Series#(config ssl ccl browser-trusted)exit
Blue Coat SG Series#(config ssl)delete ca-certificate DST_Root_CA_X3
  ok
Blue Coat SG Series#(config ssl)exit
Blue Coat SG Series#(config)exit

You will need remove cached intermediate certificates if you still see expired or Invalid certificate exceptions. 
Below are the CLI commands to perform remove the cached intermediate certificates. 

Blue Coat SG Series>en
Enable Password:
Blue Coat SG Series#
Blue Coat SG Series#
Blue Coat SG Series#conf t
Enter configuration commands, one per line.  End with CTRL-Z.
Blue Coat SG Series#(config)ssl
Blue Coat SG Series#(config ssl)
Blue Coat SG Series#(config ssl)
Blue Coat SG Series#(config ssl)intermediate-cert-cache
Blue Coat SG Series#(config ssl icc)clear-cache
  ok
Blue Coat SG Series#(config ssl icc)

 

NOTE:  Please review additional information below.  Additional Chain of Trust certificates affected by DST Root CA X3 cross-sign expiration is more broad than original thought.  Details from 'Lets Encrypt', with hierarchy provided below.

NOTE: The way that proxy builds and validates certificates chains have been modified since the 6.7.5.7 version of code and as such, you should only experience this if running 6.7.5.7 and lower. 

Additional Information

For more specific details see the article below from Let's Encrypt regarding the expiration. 

https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/

Let's Encrypt Chain of Trust Hierarchy

https://letsencrypt.org/certificates/

The root certificate ISRG Root X1 has also been linked to Let's Encrypt expiration issues as found in 'Chain of Trust' Hierarchy above.  Being imported into CA Certificates, then into added to Browser Trusted for affected domains has proven to resolve this issue.  If you find additional Let's Encrypt certificates affected, review the Chain of Trust Hierarchy to see if there is a certificate related that needs to be imported for the expired. 

Note the Examples below for ISRG Root X1:

 

Attachments