Connect with me!

Have a question? Want to hire me? Reach out and Connect!
I'm available for remote and onsite consulting!
To live chat with me, Click Here!
Certificates

DST Root CA X3 Certificate Expiration Problems and Fix

Today, the DST Root CA X3 certificate expired, leaving many devices on the internet having issues connecting to services and certificates that use this Root CA, including those using Let’s Encrypt certificates.

Some of these problematic devices include Samsung Galaxy phones, iPhones, VDI zero and thin clients, and even Sophos UTM firewalls.

In my environment, I noticed a number of issues when browsing to websites that use the free Let’s Encrypt certificates, as the Web Protection Web Filtering service on my Sophos UTM firewall would report the certificate has expired and not allow me access to the websites using it.

The Problem

Let’s Encrypt originally used the “DST Root CA X3” certificate to issue Let’s Encrypt certificates. However, as time has passed and the service has been used more, they now use “ISRG Root X1” and “ISRG Root X2” as Root CA’s and “Let’s Encrypt R3” as an intermediate certificate.

Older devices may be using the older Root CA which expired today (September 30th, 2021). Please see https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/ for more information.

The Fix

To fix this issue, you need to add the 2 new Root CAs to your computer or device.

Root CA Certificates (PEM format):

Intermediate Certificate (PEM format):

You can download them by clicking the links above or go to https://letsencrypt.org/certificates/ for more information and to download if you don’t trust the above links.

After downloading and adding these Root CAs and the Intermediate CA to your computer or device, you should have the full certificate chain to validate the Let’s Encrypt certificates. You only need to add the two root certificates. The Let’s Encrypt certificates that are used on websites that you visit and that you might have deployed on your servers should now work without any issues.

If you’re still having issues, you can try deleting the “DST Root CA X3” certificate from your existing Root CAs. Also, you may need to close and reopen any software and/or browsers for it to work with the new certificate.

HTTPS Scanning/Filtering Firewall Fix (Sophos UTM as example)

If you have a firewall that scans HTTPs traffic, you’ll need to add the two root certificates above to the HTTPS Certification authority list.

As an example, to fix this on the Sophos UTM firewall, follow the instructions below:

  1. Download the 3 certificates above.
  2. Log on to your Sophos UTM
  3. Navigate to “Web Protection”, “Filtering Options”, and “HTTPS CAs” tab.
  4. Disable the old “Digital Signature Trust Co. DST Root CA X3” Certificate in the list.
  5. Using the “Upload local CA”, browse to and select 1 of the 3 certificates, then click upload.
  6. Repeat step 5 for each of the 3 certificates listed above.
  7. The issue has been fixed! You should now see all 3 certificates in the “Local verification CAs” list.

The steps should be similar for other firewalls that provide HTTPS Scanning and Filtering.

Stephen Wagner

Stephen Wagner is President of Digitally Accurate Inc., an IT Consulting, IT Services and IT Solutions company. Stephen Wagner is also a VMware vExpert, NVIDIA NGCA Advisor, and HPE Influencer, and also specializes in a number of technologies including Virtualization and VDI.

View Comments

  • Thanks Stephen. Your article last year fixed my Comodo cert expiring issue and now you have fixed my Let's Encrypt issue. In my case I needed to restart the UTM for the certs to come into effect. Thanks so much

  • Thanks for the precise and to-the-point information. This was bugging my email client since yesterday and besides all the discussions of concerned admins, no one except you seemed to bother providing a link to the three relevant certificates. A one minute fix.

  • Hi Stephen,

    I ran into this problem and thankfully I found your post. CAn you go into detail about how to fix this problem? I downloaded the files but I have no idea what to do with them.

  • Thank you Stephen! I've had two support requests caused by this issue in the last 24 hours. Your explanation and fix description is detailed and thorough. Thanks again.

  • Thank you so much: you saved may day !
    In 5 minutes everything was again working fine with my HTTPS filtering/scanning on my Sophos UTM 9 appliance.
    Very nice to see there are still people sharing valuable information...

  • Thank you Stephen! Phenomenal fix. I am a beginner end user and have Windows 7 (groan). However I determined in applying Stephen's fix the DER files worked. The PEM files would not. So for those of you that are attempting to apply the fix don't despair. After restarting my computer with the DER files so far I have had no issues. I also live in the USA.
    Hope this information will help and encourage others to give it a try.
    So grateful I found you and the fix!

  • I run mantry.com, Stephen gave me 1 minute of guidance over chat along with the thorough instructions on this blog and I was able to fix the DST Root CA X3 Certificate Expiration Problem. He made my week!

  • Hello Stephen
    I just downloaded the files, but I don't know what's next
    Do I need to reemplace the tree files on specific folder on my computer?

    Greetings from Mexico

    • Hi Omar,

      The Root CAs and Intermediate CA need to be added to your devices Certificate store. As an example, if this was windows, you'd add the Root CAs to the System's "Trusted Root Certification Authorities" store, and the Intermediate to the "Intermediate Authorities" store.

      Cheers,
      Stephen

  • According to Sophos, as of 10/1/21 at 19:00GMT an update was released and a restart is required because certain services such as web proxy cache the previously loaded certificates.

    From https://support.sophos.com/support/s/article/KB-000042993?language=en_US

    "The CA Data bundle for UTM has been released. All Sophos UTMs should have received & are updated.

    This bundle removes the expired Let's Encrypt X3 CA from both the UTM cert store (used by web proxy, email) and WAF. This should automatically resolve the issue for both WAF & Email.

    For awarren [sic] http (web proxy) it may require a restart before the issue is resolved. That’s because the proxy caches the CAs and requires a restart to reload.

    Sophos Firewall web proxy - Hotfix roll out started to address issue Friday, Oct 1, 2021 19:00 GMT"

  • Thank you Stephen! These steps helped me resolve my issues I've been trying to resolve these past two days

Share
Published by

Recent Posts

HPE Nimble and HPE Alletra 6000 SAN IP Zoning

Are you running an HPE Nimble or HPE Alletra 6000 SAN in your VMware environment with iSCSI? A commonly overlooked component of the solution architecture and configuration when using these… Read More

3 months ago

Procedure for Updating Enhanced Linked Mode vCenter Server Instances

You might ask if/what the procedure is for updating Enhanced Linked Mode vCenter Server Instances, or is there even any considerations that apply? vCenter Enhanced Link Mode is feature… Read More

3 months ago

NVIDIA vGPU Troubleshooting Guide – How to troubleshoot vGPU on VMware

In this NVIDIA vGPU Troubleshooting Guide, I'll help show you how to troubleshoot vGPU issues on VMware platforms, including VMware Horizon and VMware Tanzu. This guide applies to the full… Read More

3 months ago

vCenter OVF Import and Datastore File Access Issues

When using VMware vSphere, you may notice vCenter OVF Import and Datastore File Access Issues, when performing various tasks with OVF Imports, as well as uploading and/or downloading files from… Read More

3 months ago

HPE Simplivity Upgrade Manager – Access Denied, Incorrect Credentials

When attempting to log in to your VMware vCenter using the HPE Simplivity Upgrade Manager to perform an upgrade on your Simplivity Infrastructure, the login may fail with Access Denied,… Read More

5 months ago

VMware vSAN – All VMs inaccessible after graceful cluster shutdown restart

When using VMware vSAN 7.0 Update 3 (7U3) and using the graceful shutdown (and restart) of your entire vSAN cluster, you may experience an issue resulting with all VMs inaccessible… Read More

5 months ago
Powered and Hosted by Digitally Accurate Inc. - Calgary IT Services, Solutions, and Managed Services