Let's Encrypt Issued Certificates - DST Root CA X3 Certificate Expiration (September 30, 2021)

book

Article ID: 225163

calendar_today

Updated On:

Products

ProxySG Software - SGOS

Issue/Introduction

Your request contacted a host which presented an expired or Invalid certificate when connecting to a site using a "Lets Encrypt" Issued Certificates.

Cause

DST Root CA X3 Expiration (September 30, 2021) and due to the cross signing nature of the certificate, the chain is being constructed with the expired cert. 

Resolution

You will need to remove the expired certificate from the Browser Trusted CCL and also the CA certificate list in the proxy. Below are the CLI commands to perform both functions. 

en
conf t
ssl
edit ccl browser-trusted
remove DST_Root_CA_X3
exit
delete ca-certificate DST_Root_CA_X3
exit
exit

NOTE:  Please review additional information below.  Additional Chain of Trust certificates affected by DST Root CA X3 cross-sign expiration is more broad than original thought.  Details from 'Lets Encrypt', with hierarchy provided below.

NOTE: The way that proxy builds and validates certificates chains have been modified since the 6.7.5.7 version of code and as such, you should only experience this if running 6.7.5.7 and lower. 

Additional Information

For more specific details see the article below from Let's Encrypt regarding the expiration. 

https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/

Let's Encrypt Chain of Trust Hierarchy

https://letsencrypt.org/certificates/

The root certificate ISRG Root X1 has also been linked to Let's Encrypt expiration issues as found in 'Chain of Trust' Hierarchy above.  Being imported into CA Certificates, then into added to Browser Trusted for affected domains has proven to resolve this issue.  If you find additional Let's Encrypt certificates affected, review the Chain of Trust Hierarchy to see if there is a certificate related that needs to be imported for the expired. 

Note the Examples below for ISRG Root X1:

 

Attachments