Add new comment

Trust issues with Let's Encrypt

Submitted by Erik Wegner on Wed, 10/06/2021 - 23:06

To make the web more secure, Let's Encrypt issues certificates for everyone. They recently changed the root certificate, which is not a problem on its own.

But for a transition period, certificates may be signed by both (the old and the new) root certificates. An old openssl installation selects the older certificate and complains that it is expired.

ERROR: cannot verify's certificate, issued by ‘CN=R3,O=Let's Encrypt,C=US’:
 Issued certificate has expired.

To handle the situation on Ubuntu 16.04 (xenial), the site has the working answer: disable the expired root certificate (DST Root CA X3) in the system. Use the following command to open the configuration dialog and disable the certificate mozilla/DST_Root_CA_X3.crt:

sudo dpkg-reconfigure ca-certificates

Now the app happily connects to servers with current Let's Encrypt certificates.