Trust issues with Let's Encrypt

Submitted by Erik Wegner on

To make the web more secure, Let's Encrypt issues certificates for everyone. They recently changed the root certificate, which is not a problem on its own.

But for a transition period, certificates may be signed by both (the old and the new) root certificates. An old openssl installation selects the older certificate and complains that it is expired.

ERROR: cannot verify's certificate, issued by ‘CN=R3,O=Let's Encrypt,C=US’:
 Issued certificate has expired.

To handle the situation on Ubuntu 16.04 (xenial), the site has the working answer: disable the expired root certificate (DST Root CA X3) in the system. Use the following command to open the configuration dialog and disable the certificate mozilla/DST_Root_CA_X3.crt:

sudo dpkg-reconfigure ca-certificates

Now the app happily connects to servers with current Let's Encrypt certificates.