On October 19, 2021, we have enabled single-sign-on for our Plesk Support Center to provide a seamless login/account experience. This implies that you’ll be able to use a single account across any of our web-facing properties.
If you had already registered your account at Plesk 360 (formerly known as My Plesk) please use one for login. Otherwise please re-register it using the same email address as your existing Zendesk login (support account). It’s essential that you use the same email address on our support center to ensure that your tickets stay attached to the same account.

Plesk websites secured by Let's Encrypt certificates show ERR_CERT_AUTHORITY_INVALID warning after September 30, 2021

Follow

Comments

38 comments

  • Avatar
    Mehmet Tahta

    When you reissue the cert, it already fixes the issue. What is the point of this article? Totally useless for now. How could we bulk reissue the certs? 

    0
    Comment actions Permalink
  • Avatar
    Leonid Gukhman

    Mehmet Tahta Hi, to bulk-reissue the certs, add the following to panel.ini, run the "Extension letsencrypt"  keep-secured.php. under Tools & Settings > Scheduled Tasks (Cron jobs) and remove the directives once the task is finished:

    [ext-letsencrypt]
    renew-before-expiration = 999

     

    0
    Comment actions Permalink
  • Avatar
    Jacob Colton

    When we reissue an SSL on Windows it is not fixing the issue...if we have to reissue the SSLs are we not going to hit LE limits?

    0
    Comment actions Permalink
  • Avatar
    Leonid Gukhman

    Jacob Colton Please note that the newly issued certificates use the new root cert, so the issue should be fixed from the client's side by updating the software. As for LE limits, they are applied per-domain, so renewing certificates for multiple domains does not affect these limits.

    0
    Comment actions Permalink
  • Avatar
    Jacob Colton

    Please see ticket 315809 where we have provided evidence this is not the case.

    0
    Comment actions Permalink
  • Avatar
    Fabrice KIMMEL (Edited )

    Hi all,

    My problem is that i use many curl, wget in bash scripts , or file_get_contents in PHP.

    I can add params to each to deactivate certificate check, but it's not the better solution, and i have 20 servers with many websites on each ...

    What can i do to correct this error ?

    Thanks

    P S : my servers are Ubuntu, from 12.04 and to 18.04

    0
    Comment actions Permalink
  • Avatar
    Arvind Kumar

    SSL is not working on window -7 from 01-10-2021 only working on window -10

    When open website on window-7 then displaying error "Your connection to this site  is not secure"

    so please let me know how can i resolve this problem.

    0
    Comment actions Permalink
  • Avatar
    Francisco Roman Garcia Rodriguez

    Hi Arvind Kumar,

    For Windows 7, it seems that Microsoft has released an update for it to update the expired certificate.

    DST Root CA X3 expiration on Windows7. Which update I need to install? Are there workarounds?

    Please keep your operating systems up to date.

    0
    Comment actions Permalink
  • Avatar
    Fabrice KIMMEL

    Did someone have an idea to correct this for curl / wget commands and for php file_get_contents function ?

    Thanks

    0
    Comment actions Permalink
  • Avatar
    Francisco Roman Garcia Rodriguez

    Hi Fabrice KIMMEL,

    I'd bet you have to update the OS packages, to be more accurate it should be the ca-certificates package:

    What is the use/purpose of the ca-certificates package?

    0
    Comment actions Permalink
  • Avatar
    Fabrice KIMMEL

    Thanks Francisco,

    Here's liste of what i tried :

    Problem is always here ...

    I'm waiting a reply from Plesk support, and i will try to make a dist-upgrade on an empty server (ubuntu 14.04) but i preferes use another solution, 

    0
    Comment actions Permalink
  • Avatar
    Francisco Roman Garcia Rodriguez

    Hi Fabrice KIMMEL,

    No need to say that Ubuntu 14 is EOL already since years, so better to migrate to a newer operating system where this issue doesn't happen.

    Anyway, if you prefer to take the risk and perform a distro upgrade, we have a guide: How to perform dist-upgrade procedure on Linux server with Plesk?

    However, remember that no support is available for this old server. So up to you!.

    0
    Comment actions Permalink
  • Avatar
    Fabrice KIMMEL

    I know the it is an old version, versions that i have goes from ubuntu 12 !! to ubuntu 20.

    I'm ok to upgrade them, but clients says "why put my website offline for that ?? the website works fine !!" ... and i cant make it when client refused ...

    I just tried to use a free zerossl certificate, and now my test site works with curl ...
    Can be another solution ...

    0
    Comment actions Permalink
  • Avatar
    Rutger Mik (Edited )

    For Ubuntu 16/14 and 12 you can use the following solution.

    Open "/etc/ca-certificates.conf" and comment this row: "mozilla/DST_Root_CA_X3.crt"
    The ! is the comment character here.
    Save the file and run update-ca-certificates

    That should fix it.

    I compiled this onliner to fix this:

    sed -i -e 's#\(^m.*DST_Root_CA_X3.*\)#!\1#g' /etc/ca-certificates.conf;update-ca-certificates

     

    For more information read:
    https://medium.com/geekculture/will-you-be-impacted-by-letsencrypt-dst-root-ca-x3-expiration-d54a018df257

    1
    Comment actions Permalink
  • Avatar
    Fast2host Ltd support

    We have 5 Windows hosting servers, and are having this issue with hundreds of domains. I tried deleting the expired certificate so LetsEncrypt was forced to use the ISRG Root X1 certificate.

    I thought this had worked, but the expired DST_Root certificate keeps coming back

    0
    Comment actions Permalink
  • Avatar
    Fabrice KIMMEL

    Many thanks to you !!!!!

    I tried this solution on 2 servers and curl works !!!!

    Now here it is friday, 5pm, and i stop working at 6pm so i wait monday to deploy on all servers
    I dont think it can create other problems but I prefer to be present in case something happens

    Thanks for all Mik, and see you monday

    0
    Comment actions Permalink
  • Avatar
    Carlo Vollebregt

    For our specific case I managed to fix the client connection problems on the server side by manually removing the DST Root CA X3 from the certificate file of a vhost (note: this might not be the correct solution for all cases). But when I renew the certificate, the DST Root CA X3 is added again.

    It seems that certbot has a 'preferred-chain' option, which I can use to force certbot to request a specific intermediate certificate:

    sudo certbot renew --force-renewal --preferred-chain "ISRG Root X1"

    I cannot find a 'preferred chain' option in the Plesk Lets Encrypt settings (https://docs.plesk.com/en-US/obsidian/administrator-guide/plesk-administration/managing-let%E2%80%99s-encrypt-settings.78586/).

    Is there a possibility in Plesk to prevent the DST Root CA X3 being added to the certificate file of vhosts on the Plesk server?

    1
    Comment actions Permalink
  • Avatar
    Harm Jakob Tolsma (Edited )

    Updated that certificate.conf and renewed the certificates like Rutger Mik posted.
    When using the WordPress REST-API with Postman it still gives me the 'Certificate has Expired' notice.

    ---

    Update: me being an idiot.. had to update Postman.

    0
    Comment actions Permalink
  • Avatar
    Roman

    But when I renew the certificate, the DST Root CA X3 is added again.

    Same issue here... I must manually remove the X3-Certificate, but i cant do it every time for each client. How i can fix it in plesk/lets encrypt-extension?

    1
    Comment actions Permalink
  • Avatar
    Fabrice KIMMEL

    Maybe restart apache / php services ? Maybe certificates file is read only when service start ?

    1
    Comment actions Permalink
  • Avatar
    Roman (Edited )

    Thx for your answer!

    Im managing many Plesk-Servers and even the newest one (Ubuntu 20.04, installed 1 month ago, newest plesk) is having the same issue. Server/service reboot did nothing :\
    I dont understand what im doing wrong... Ive got the same issue on Ubuntu 16.04, Centos 7...

    0
    Comment actions Permalink
  • Avatar
    Fabrice KIMMEL

    I just had the same problem on another old server, the Mik command dont correct the problem.

    Try to make a apt-get install ca-certificates to update the package, edit the file /etc/ca-certificates.conf, and search the line mozilla/DST_Root_CA_X3.crt.
    If you dont have the "!" character on line start, close the file, retry Mik command, and recheck the conf file

    1
    Comment actions Permalink
  • Avatar
    Roman

    Already done :\ "mozilla/DST_Root_CA_X3.crt" is deselected in this file on every damn server :D

     

    0
    Comment actions Permalink
  • Avatar
    Fabrice KIMMEL

    Upgrade the package list (apt-get update) before the apt-get install ca-certificates

    Have you errors like errors 404 when make the package list update ?

    0
    Comment actions Permalink
  • Avatar
    Edwin C

    I was able to fix the issue using the following steps.

    1. Comment the the line mozilla/DST_Root_CA_X3.crt in /etc/ca-certificates.conf.

    2. Run the command "update-ca-certificates"

    3. Renew the Lets Encrypt Certificate from Plesk Panel.

    Many Thanks to Rutger and Fabrice.

    0
    Comment actions Permalink
  • Avatar
    Vitaly Zhidkov

    @Everyone, thank you for the input, the article was updated accordingly

     

    0
    Comment actions Permalink
  • Avatar
    Paul Phillips

    Anyone know how to do this on CentOS?

    I don't have `/etc/ca-certificates.conf`

    0
    Comment actions Permalink
  • 0
    Comment actions Permalink
  • Avatar
    Paul Phillips

    Thanks Fabrice, I've already checked there and it's an empty folder.

    0
    Comment actions Permalink
  • Avatar
    Arvind Kumar Madhukar

    Just for the clarification,

    Can you please tell me, is this issue is only with the LetsEncrypt SSL or with other SSL too?

    0
    Comment actions Permalink

Please sign in to leave a comment.

Have more questions? Submit a request