Today, the DST Root CA X3 certificate expired, leaving many devices on the internet having issues connecting to services and certificates that use this Root CA, including those using Let’s Encrypt certificates.
Some of these problematic devices include Samsung Galaxy phones, iPhones, VDI zero and thin clients, and even Sophos UTM firewalls.
In my environment, I noticed a number of issues when browsing to websites that use the free Let’s Encrypt certificates, as the Web Protection Web Filtering service on my Sophos UTM firewall would report the certificate has expired and not allow me access to the websites using it.
Let’s Encrypt originally used the “DST Root CA X3” certificate to issue Let’s Encrypt certificates. However, as time has passed and the service has been used more, they now use “ISRG Root X1” and “ISRG Root X2” as Root CA’s and “Let’s Encrypt R3” as an intermediate certificate.
Older devices may be using the older Root CA which expired today (September 30th, 2021). Please see https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/ for more information.
To fix this issue, you need to add the 2 new Root CAs to your computer or device.
Root CA Certificates (PEM format):
Intermediate Certificate (PEM format):
You can download them by clicking the links above or go to https://letsencrypt.org/certificates/ for more information and to download if you don’t trust the above links.
After downloading and adding these Root CAs and the Intermediate CA to your computer or device, you should have the full certificate chain to validate the Let’s Encrypt certificates. You only need to add the two root certificates. The Let’s Encrypt certificates that are used on websites that you visit and that you might have deployed on your servers should now work without any issues.
If you’re still having issues, you can try deleting the “DST Root CA X3” certificate from your existing Root CAs. Also, you may need to close and reopen any software and/or browsers for it to work with the new certificate.
If you have a firewall that scans HTTPs traffic, you’ll need to add the two root certificates above to the HTTPS Certification authority list.
As an example, to fix this on the Sophos UTM firewall, follow the instructions below:
The steps should be similar for other firewalls that provide HTTPS Scanning and Filtering.
Today we're going to discuss and deploy Active Directory Certificate Services on a Windows Server 2022 Server. Additionally, we'll also be generating a domain certificate request inside of IIS and… Read More
When attempting to do a fresh install of Windows 11 using the ISO, you may receive the message "This PC can't run Windows 11". Additionally, "This PC doesn't meet the… Read More
When attempting to upgrade to Windows 11, you may receive the message "This PC doesn't currently meet Windows 11 system requirements". Windows 11 has a new set of minimum system… Read More
Today, I will be showing you howto install, configure, and deploy Windows Server Update Services (WSUS) on Windows Server 2022. I'll also show you how to use the WSUS MMC… Read More