DST Root CA X3 Expiration and Let’s Encrypt (Sep 2021)

As of September 30th, 2021, the DST Root CA X3 certificate that is used in the chain of trust for Let’s Encrypt expires causing clients that do not recognize ISRG Root X1 to fail security checks when accessing sites that use Let’s Encrypt for their SSL provider.

The details about this issue can be found in the following post made by Let’s Encrypt about this issue

The problem is not specific to the MediaCP software and affects many users using LetsEncrypt certificates. Many cPanel users are also experiencing the problem are also experiencing the problem.

Our technical team have done some further research and we’ve written this guide on how to solve the problem on any CentOS or Debian machine.

How to check if you are affected?

Checking for the issue is simple, run the following on your MediaCP system (replacing your-domain.com with your actual domain name).

curl https://your-domain.com:2020 > /dev/null

If there is a problem then you will see the error “(60) SSL certificate problem: certificate has expired” but do not worry, your certificate is not necessarily expired and the solution is simple.

Workaround

CentOS 7+

For servers running CentOS 7 or higher, the issue has been solved in recent operating system updates. We recommend running the following on your system as root user.

yum clean all;
yum -y update;
yum -y install ca-certificates;
yum -y update ca-certificates;
update-ca-trust;

Debian Servers

For Debian servers, the problem can be solved simply by running the following on your system as root:

mv /usr/share/ca-certificates/mozilla/DST_Root_CA_X3.crt /usr/share/ca-certificates/mozilla/DST_Root_CA_X3.crt.backup;
sudo update-ca-certificates;

Like this article?

Share on facebook
Share on Facebook
Share on twitter
Share on Twitter
Share on linkedin
Share on Linkdin
Share on pinterest
Share on Pinterest

Leave a comment