<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body dir="auto">
Some applications will ignore the expired root cert, but others will need some help.
<div><br>
</div>
<div>The problematic cert is <b>DST Root CA X3</b>. Its replacement is <b>ISRG Root X1</b>.
<div><br>
</div>
<div>I filed an issue on the github repo for one developer’s app. For some baffling reason he still includes openssl libraries from 2015, even though other parts have been updated more recently. </div>
<div><br>
</div>
<div>For Windows users, you delete the DST X3 cert from your trusted root store. For Mac users, one workaround is to manually edit the file /etc/ssl/cert.pem. Here are abbreviated instructions on stackoverflow: </div>
<div><br>
</div>
<div><a href="https://stackoverflow.com/a/69413675">https://stackoverflow.com/a/69413675</a></div>
<div><br>
</div>
</div>
<div>
<div>
<blockquote type="cite"><span style="caret-color: rgb(12, 13, 14); color: rgb(12, 13, 14); font-family: "Helvetica Neue", Helvetica, Arial, sans-serif; font-size: 15px; -webkit-text-size-adjust: 100%; background-color: rgb(255, 255, 255);">The simplest fix
is to delete the expired root certificate from the </span><code style="color: var(--black-800); box-sizing: inherit; margin: 0px; padding: 2px 4px; border: 0px; font-family: var(--ff-mono); font-stretch: inherit; line-height: inherit; font-size: 13px; vertical-align: baseline; max-height: 300px; border-top-left-radius: 3px; border-top-right-radius: 3px; border-bottom-right-radius: 3px; border-bottom-left-radius: 3px; -webkit-text-size-adjust: 100%;">/etc/ssl/cert.pem</code><span style="caret-color: rgb(12, 13, 14); color: rgb(12, 13, 14); font-family: "Helvetica Neue", Helvetica, Arial, sans-serif; font-size: 15px; -webkit-text-size-adjust: 100%; background-color: rgb(255, 255, 255);"> file,
assuming its replacement already exists in the file. This is enough to fix the expired </span><span style="box-sizing: inherit; margin: 0px; padding: 0px; border: 0px; font-family: "Helvetica Neue", Helvetica, Arial, sans-serif; font-style: italic; font-stretch: inherit; line-height: inherit; font-size: 15px; vertical-align: baseline; color: rgb(12, 13, 14); caret-color: rgb(12, 13, 14); -webkit-text-size-adjust: 100%;">DST
Root CA X3</span><span style="caret-color: rgb(12, 13, 14); color: rgb(12, 13, 14); font-family: "Helvetica Neue", Helvetica, Arial, sans-serif; font-size: 15px; -webkit-text-size-adjust: 100%; background-color: rgb(255, 255, 255);">, because its replacement, </span><span style="box-sizing: inherit; margin: 0px; padding: 0px; border: 0px; font-family: "Helvetica Neue", Helvetica, Arial, sans-serif; font-style: italic; font-stretch: inherit; line-height: inherit; font-size: 15px; vertical-align: baseline; color: rgb(12, 13, 14); caret-color: rgb(12, 13, 14); -webkit-text-size-adjust: 100%;">ISRG
Root X1</span><span style="caret-color: rgb(12, 13, 14); color: rgb(12, 13, 14); font-family: "Helvetica Neue", Helvetica, Arial, sans-serif; font-size: 15px; -webkit-text-size-adjust: 100%; background-color: rgb(255, 255, 255);"> already exists in the </span><code style="color: var(--black-800); box-sizing: inherit; margin: 0px; padding: 2px 4px; border: 0px; font-family: var(--ff-mono); font-stretch: inherit; line-height: inherit; font-size: 13px; vertical-align: baseline; max-height: 300px; border-top-left-radius: 3px; border-top-right-radius: 3px; border-bottom-right-radius: 3px; border-bottom-left-radius: 3px; -webkit-text-size-adjust: 100%;">/etc/ssl/cert.pem</code><span style="caret-color: rgb(12, 13, 14); color: rgb(12, 13, 14); font-family: "Helvetica Neue", Helvetica, Arial, sans-serif; font-size: 15px; -webkit-text-size-adjust: 100%; background-color: rgb(255, 255, 255);"> file.
Delete all lines from </span><code style="color: var(--black-800); box-sizing: inherit; margin: 0px; padding: 2px 4px; border: 0px; font-family: var(--ff-mono); font-stretch: inherit; line-height: inherit; font-size: 13px; vertical-align: baseline; max-height: 300px; border-top-left-radius: 3px; border-top-right-radius: 3px; border-bottom-right-radius: 3px; border-bottom-left-radius: 3px; -webkit-text-size-adjust: 100%;">###
Digital Signature Trust Co.</code><span style="caret-color: rgb(12, 13, 14); color: rgb(12, 13, 14); font-family: "Helvetica Neue", Helvetica, Arial, sans-serif; font-size: 15px; -webkit-text-size-adjust: 100%; background-color: rgb(255, 255, 255);"> to </span><code style="color: var(--black-800); box-sizing: inherit; margin: 0px; padding: 2px 4px; border: 0px; font-family: var(--ff-mono); font-stretch: inherit; line-height: inherit; font-size: 13px; vertical-align: baseline; max-height: 300px; border-top-left-radius: 3px; border-top-right-radius: 3px; border-bottom-right-radius: 3px; border-bottom-left-radius: 3px; -webkit-text-size-adjust: 100%;">-----END
CERTIFICATE</code><span style="color: var(--black-800); font-family: var(--ff-mono); font-size: 13px; -webkit-text-size-adjust: 100%;">-----</span></blockquote>
</div>
</div>
<div>
<div><br>
<div dir="ltr">—Sent from my iPhone</div>
<div dir="ltr"><br>
<blockquote type="cite">On Oct 10, 2021, at 1:55 PM, James Lawrie via Outages <outages@outages.org> wrote:<br>
<br>
</blockquote>
</div>
<blockquote type="cite">
<div dir="ltr"><span>It’s worth noting as well that this affects openssl 1.0.1 even if they have the new root cert.</span><br>
<span></span><br>
<span>So curl on Debian 8, Debian 9, OSX 10.14.6 etc. will report SSL certificate expired.</span><br>
<span></span><br>
<span>Browsers there will work, but APIs might fail.</span><br>
<span></span><br>
<span>I wrote about it a little here with a (per-server) workaround: https://urldefense.com/v3/__https://silvermou.se/letsencrypt-60-ssl-certificate-problem-certificate-has-expired/__;!!PIZeeW5wscynRQ!4hIh2VR23PPROuXErYOeLIavk-e56ShODjyZgDSKYSI6xdVY69pjkAK_tSlrCVm_iw$
</span><br>
<blockquote type="cite"><span>On 10 Oct 2021, at 16:52, Jay R. Ashworth via Outages wrote:</span><br>
</blockquote>
<blockquote type="cite"><span></span><br>
</blockquote>
<blockquote type="cite">
<blockquote type="cite"><span>I meant to post this when it happened, and I think I forgot. :-}</span><br>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite"><span></span><br>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite"><span>The SSL Root cert that underlies Let's Encrypt's root expired on 30-Sept,</span><br>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite"><span>and the new root that underlies it is not in the Root Certificate Package of</span><br>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite"><span>some still pretty widely deployed OS versions, including OS/X <10.12.1.</span><br>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite"><span></span><br>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite"><span>Lots of people are getting their certs from Let's these days, including</span><br>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite"><span>Wikipedia.</span><br>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite"><span></span><br>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite"><span>So if you've gotten any reports from the field that people can't access</span><br>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite"><span>{websites,your websites} it's worth looking into whether this is why.</span><br>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite"><span></span><br>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite"><span>Tier 2/3 detail: https://urldefense.com/v3/__https://scotthelme.co.uk/lets-encrypt-old-root-expiration/__;!!PIZeeW5wscynRQ!4hIh2VR23PPROuXErYOeLIavk-e56ShODjyZgDSKYSI6xdVY69pjkAK_tSl-1tpe_w$
</span><br>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite"><span>Cheers,</span><br>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite"><span>-- jra</span><br>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite"><span></span><br>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite"><span>Replies, as always, to -discuss</span><br>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite"><span></span><br>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite"><span>-- </span><br>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite"><span>Jay R. Ashworth Baylink jra@baylink.com</span><br>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite"><span>Designer The Things I Think RFC 2100</span><br>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite"><span>Ashworth & Associates https://urldefense.com/v3/__http://www.bcp38.info__;!!PIZeeW5wscynRQ!4hIh2VR23PPROuXErYOeLIavk-e56ShODjyZgDSKYSI6xdVY69pjkAK_tSkwqRCMgg$ 2000 Land Rover DII</span><br>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite"><span>St Petersburg FL USA BCP38: Ask For It By Name! +1 727 647 1274</span><br>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite"><span>_______________________________________________</span><br>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite"><span>Outages mailing list</span><br>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite"><span>Outages@outages.org</span><br>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite"><span>https://urldefense.com/v3/__https://puck.nether.net/mailman/listinfo/outages__;!!PIZeeW5wscynRQ!4hIh2VR23PPROuXErYOeLIavk-e56ShODjyZgDSKYSI6xdVY69pjkAK_tSnHOP-hNQ$
</span><br>
</blockquote>
</blockquote>
<span>_______________________________________________</span><br>
<span>Outages mailing list</span><br>
<span>Outages@outages.org</span><br>
<span>https://urldefense.com/v3/__https://puck.nether.net/mailman/listinfo/outages__;!!PIZeeW5wscynRQ!4hIh2VR23PPROuXErYOeLIavk-e56ShODjyZgDSKYSI6xdVY69pjkAK_tSnHOP-hNQ$
</span><br>
</div>
</blockquote>
</div>
</div>
</body>
</html>