Articles in this section

Plesk websites secured by Let's Encrypt certificates show ERR_CERT_AUTHORITY_INVALID warning after September 30, 2021

Taras Ermoshin
Updated
Plesk for Windows Plesk for Linux kb: technical ext: le

Applicable to:

  • Plesk for Linux
  • Plesk for Windows

Symptoms

  • After September 30, 2021, when accessing websites hosted on a Plesk and secured with Let's Encrypt certificates, the error ERR_CERT_AUTHORITY_INVALID is shown.

  • The certificate DST Root CA X3 is shown in the certificate chain (Padlock icon in address bar > Certificate > Certification Path):

    Sample screenshots

    root2.png
    root.png

Cause

DST Root CA X3 root certificate expired on September 30, 2021 at 14:01:15 GMT. It affects outdated client operating systems, including the following ones:

  • Windows < XP SP3
  • Windows 7 (without the specific root certificates update installed).
  • macOS < 10.12.1
  • iOS < 10
  • Android < 7.1.1 (but >= 2.3.6 will work if served ISRG Root X1 cross-sign)
  • Ubuntu < 16.04
  • Debian < 8

Resolution

To resolve the issue, install the latest updates for the computer / mobile device (Windows, macOS, Android, iOS, etc.) that is used for accessing websites.

For Plesk on Windows Server

Install the latest OS updates and reboot the server to refresh root certificates cache.

Plesk on supported Linux OS

If a Linux server is used and it is up-to-date, no actions are required.

Plesk on outdated (end-of-life) Linux OS

On outdated Linux operating systems, it may be required to apply the steps below:

  1. Connect to the server using SSH.

  2. Open the file /etc/ca-certificates.conf for editing.

  3. Comment out the line mozilla/DST_Root_CA_X3.crt by putting the symbol ! to the beginning of the line and save the file.

  4. Execute the below command:

    # update-ca-certificates

Starting from January 2021, Plesk issues Let's Encrypt certificates using ISRG Root X1.

On Windows, check that Turn off Automatic Root Certificates Update option is disabled in Local Group Policy Editor under Local Computer Policy > Computer Configuration > Administrative Templates > System > Internet Communication > Internet Communication settings. If it is enabled, disable it, install Windows updates and reboot the server.

If an alternative root was enabled in panel.ini configuration file before:

  1. Connect to the server via SSH/RDP.

  2. Remove the following line from panel.ini configuration file:

    use-alternate-root = true

  3. Reissue Let's Encrypt certificates for the affected domains.

Was this article helpful?

Comments

0 comments

Please sign in to leave a comment.