Let’s Encrypt: Chain of trust is NOT ok, expired.

As per the plan by September 30, 2021, the DST route CA X3 cross-sign has ended. and older devices including servers under CentOS 6 are reporting broken chain or failed peer

Error: Cannot verify the certificate for example.net issued by “/C=US/O=Lets Encrypt/CN=R3”: The certificate issued has expired.

When trying to connect to a secure protocol protected by a Let’s Encrypt certificate. And here’s a quick fix for servers with DirectAdmin.

Here we have two sides:

  • Server side storage of CA certificates
  • Websites with Expired CA Certificates

If the first problem can be fixed by upgrading the system set of CA certificates from the OS’s repository. Use apt/apt-get/yum/dnf for this, considering the OS you run there.

The second issue requires us to change the CA certificate for each hosted web site. And it may not be trivial for a server with 100+ domains. So Poralix has created a small script for the automation of the process.

The mentioned script can be found in GitHub by link:

The script can be used to replace the CA-root certificate and regenerate *.combined sets:

  • /usr/local/directadmin/data/users/${USER}/domains/${DOM}.cacert
  • /usr/local/directadmin/data/users/${USER}/domains/${DOM}.cert.combined

For each domain that is protected by Let’s Encrypt’s certificate.

You can use the following code (as root) to run the script:

bash <(curl -Ss  || wget -O - )

That’s it.

Leave a Comment