Applicable to:
- Plesk for Linux
- Plesk for Windows
Symptoms
-
After September 30, 2021, when accessing websites hosted on a Plesk and secured with Let's Encrypt certificates, the error ERR_CERT_AUTHORITY_INVALID is shown.
-
The certificate DST Root CA X3 is shown in the certificate chain (Padlock icon in address bar > Certificate > Certification Path):
Sample screenshots
Cause
DST Root CA X3 root certificate expired on September 30, 2021 at 14:01:15 GMT. It affects outdated client operating systems, including the following ones:
- Windows < XP SP3
- Windows 7 (without the specific root certificates update installed).
- macOS < 10.12.1
- iOS < 10
- Android < 7.1.1 (but >= 2.3.6 will work if served ISRG Root X1 cross-sign)
- Ubuntu < 16.04
- Debian < 8
Resolution
To resolve the issue, install the latest updates for the computer / mobile device (Windows, macOS, Android, iOS, etc.) that is used for accessing websites.
Install the latest OS updates and reboot the server to refresh root certificates cache.
If a Linux server is used and it is up-to-date, no actions are required.
On outdated Linux operating systems, it may be required to apply the steps below:
-
Connect to the server using SSH.
-
Open the file
/etc/ca-certificates.conffor editing. -
Comment out the line
mozilla/DST_Root_CA_X3.crtby putting the symbol!to the beginning of the line and save the file. -
Execute the below command:
# update-ca-certificates
Starting from January 2021, Plesk issues Let's Encrypt certificates using ISRG Root X1.
On Windows, check that Turn off Automatic Root Certificates Update option is disabled in Local Group Policy Editor under Local Computer Policy > Computer Configuration > Administrative Templates > System > Internet Communication > Internet Communication settings. If it is enabled, disable it, install Windows updates and reboot the server.
If an alternative root was enabled in panel.ini configuration file before:
-
Connect to the server via SSH/RDP.
-
Remove the following line from
panel.iniconfiguration file:use-alternate-root = true
-
Reissue Let's Encrypt certificates for the affected domains.
Comments
38 comments
@Paul : Sorry; I am not an ubuntu expert, and even less in centos ... I cant help you more than a google search
@Arvind : I think it can affect all certificates using DST Root CA X3 in its parents
It's this Arvind: https://portswigger.net/daily-swig/amp/lets-encrypt-root-cert-update-catches-out-many-big-name-tech-firms
@Vitaly Zhidkov , I think we need to renew the existing certificates after running update-ca-certificates. Would be good to add this step in the kb
@Edwin C There is no need to renew existing certificates from Plesk as all LE certificates issued via Plesk contains ISRG Root X1 since January 2021
@Lev Iurev , the server I was working on had LE installed as a Plesk extension. The new SSL (renewed on Oct 1st) was still using DST Root CA X3. This could be because of Ubuntu 16.04.
After applying the workaround mentioned earlier and renewing the SSL, the certificate issuer was changed to ISRG Root X1.
On our Plesk CentOS 7 servers, which are completely updated, we are still struggling with this issue. When we renew a Letsencrypt certificate, the ca-bundle contains two chains:
1: [my hostname] <- R3 (send by server) <- ISRG Root X1 (in truststore on client)
2: [my hostname] <- R3 (send by server) <- ISRG Root X1 (send by server) <- expired DST Root CA X3 (in truststore on client)
When I check the Lets Encrypt test site https://valid-isrgrootx1.letsencrypt.org/, it does only show the first chain. This one does not send the ISRG Root X1 which is signed by the expired DST Root CA X3.
We are using the most recent ca-certificates package on these CentOS 7 servers and I have verified that the DST Root CA X3 is not present in the trusted certificates list on the server. As a test I also blacklisted the ISRG Root X1 with fingerprint 6d99...c24f, but this certificate still appears in the ca-bundle file of my hostnames vhost when I renew the Lets Encrypt certificate.
So I am still looking for another way I can prevent the ISRG Root X1 being added to ca-bundle the vhost.
@Carlo, ive solved it by adding following lines to panel.ini (available as plesk extension aswell):
[ext-letsencrypt]
use-alternate-root = true
Thanks Roman, this solved my problem as well!
Please sign in to leave a comment.