Let's Encrypt X3 root certificate expiration

On September 30th, the DST Root CA X3 used by Let's Encrypt expired, being replaced by a ISRG Root X1 certificate. This also has impact on the version of OpenSSL being used to connect and validate the new certificate. More details available from Let's Encrypt on this article.


Update 4th October 2021:

Fix released for v5 and v6

A fix has been released for v5 and v6 stack. To apply these fixes you will need to upgrade to stable-v5-3.0.72 or stable-v6-1.0.42. It is advised to follow our upgrade documentation as always when upgrading your environment. For the v4 stack, the manual fix as detailed below must be used.


How does this impact an application hosted on the EY platforms

Accessing external services from your app

If you're accessing external services and seeing errors, then more likely the new Let's Encrypt Root CA needs to be installed in the instances to validate the certs now issued by Let's Encrypt.

Stack v6

Apply the available stable-v6-1.0.42 stack upgrade, or:

sudo apt install ca-certificates

Stack v5

Apply the available stable-v5-3.0.72 stack upgrade, or apply the manual fix as per the below v4 instructions.

Stack v4

$ sudo su -
# curl --insecure https://letsencrypt.org/certs/isrgrootx1.pem > /usr/share/ca-certificates/mozilla/ISRG_Root_X1.crt
# echo 'mozilla/ISRG_Root_X1.crt' >> /etc/ca-certificates.conf
# rm /usr/share/ca-certificates/mozilla/DST_Root_CA_X3.crt
# rm /etc/ssl/certs/DST_Root_CA_X3.pem
# sed -i '/DST_Root_CA_X3.crt/d' /etc/ca-certificates.conf
# update-ca-certificates
Updating certificates in /etc/ssl/certs...
WARNING: Skipping duplicate file cacert.pem
1 added, 1 removed; done.
Running hooks in /etc/ca-certificates/update.d...


External connections to your app

In the above solution we remove the expired certificate from the instances. This is due to the fact that even with the new certificate installed, if the remote server's Let's Encrypt intermediate SSL is dependent on the expired DST Root CA X3 certain versions of OpenSSL on the client machine will still try to utilise the expired root certificate and return a 'certificate expired' error. In the case where the expired certificate is on an end user's client machine it is not possible to remove the expired certificate. In that case it is advisable to look to replace the intermediate certificate with one that is not dependent on DST Root CA X3. This can be achieved by passing the --preferred-chain "ISRG Root X1" argument when generating a new certificate. Depending on solely the new root cert will make changes to the client compatibility , so it is worth checking compatibility using https://www.ssllabs.com/ssltest/ both before and after the certificate change. If you need to continue to support older clients then the simplest solution is to source a certificate from an alternative provider.




Article is closed for comments.