Short description

Some VPS instances might be experiencing expired certificate errors due to an expired Let's Encrypt cross-signed DST Root CA X3. Instances running the following operating systems might not be able to connect to servers using Let's Encrypt certificates. These operating systems might also not be able to access the Let's Encrypt endpoints to issue or renew certificates after September 30, 2021:

  • CentOS and RHEL 7 or lower

  • Ubuntu 16.04 or lower

  • Debian 8 or lower

For compatibility purposes, Let's Encrypt certificates default to using a certificate chain that's cross-signed by the DST Root CA X3 certificate that expired on Sept 30th, 2021.

With OpenSSL 1.0.2, the untrusted chain is always preferred. This means that the expired certificate is seen and the entire chain is distrusted as expired. Servers with the affected version of OpenSSL and the DST Root CA X3 certificate in their root store can't issue or renew Let's Encrypt certificates. Impacted servers also can't access servers that are using them.

How does the error look like?

curl: (60) SSL certificate problem, verify that the CA cert is OK. Details: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed More details here: http://curl.haxx.se/docs/sslcerts.html

How to fix it?

The issue can be fixed easily by connecting to your VPS via SSH and using one of the commands below, based on your Operating system:

CentOS 6

yum update openssl*

CentOS 7

yum update ca-certificates

Debian/Ubuntu

apt-get install libgnutls-openssl27

or

sed -i 's#mozilla/DST_Root_CA_X3.crt#!mozilla/DST_Root_CA_X3.crt#' /etc/ca-certificates.conf && update-ca-certificates
Did this answer your question?