On October 19, 2021, we have enabled single-sign-on for our Plesk Support Center to provide a seamless login/account experience. This implies that you’ll be able to use a single account across any of our web-facing properties.
If you had already registered your account at Plesk 360 (formerly known as My Plesk) please use one for login. Otherwise please re-register it using the same email address as your existing Zendesk login (support account). It’s essential that you use the same email address on our support center to ensure that your tickets stay attached to the same account.

Plesk websites secured by Let's Encrypt certificates show ERR_CERT_AUTHORITY_INVALID warning after September 30, 2021

Follow

Comments

38 comments

  • Avatar
    Fabrice KIMMEL

    @Paul : Sorry; I am not an ubuntu expert, and even less in centos ... I cant help you more than a google search

    @Arvind : I think it can affect all certificates using DST Root CA X3 in its parents

    0
    Comment actions Permalink
  • Avatar
    Edwin C (Edited )

    @Vitaly Zhidkov , I think we need to renew the existing certificates after running update-ca-certificates. Would be good to add this step in the kb

    0
    Comment actions Permalink
  • Avatar
    Lev Iurev

    @Edwin C  There is no need to renew existing certificates from Plesk as all LE certificates issued via Plesk contains ISRG Root X1 since January 2021

    0
    Comment actions Permalink
  • Avatar
    Edwin C (Edited )

    @Lev Iurev , the server I was working on had LE installed as a Plesk extension. The new SSL (renewed on Oct 1st) was still using DST Root CA X3. This could be because of Ubuntu 16.04.

    After applying the workaround mentioned earlier and renewing the SSL, the certificate issuer was changed to ISRG Root X1.

    0
    Comment actions Permalink
  • Avatar
    Carlo Vollebregt

    On our Plesk CentOS 7 servers, which are completely updated, we are still struggling with this issue. When we renew a Letsencrypt certificate, the ca-bundle contains two chains:

    1: [my hostname] <- R3 (send by server) <- ISRG Root X1 (in truststore on client)
    2: [my hostname] <- R3 (send by server) <- ISRG Root X1 (send by server) <- expired DST Root CA X3 (in truststore on client)

    When I check the Lets Encrypt test site https://valid-isrgrootx1.letsencrypt.org/, it does only show the first chain. This one does not send the ISRG Root X1 which is signed by the expired DST Root CA X3.

    We are using the most recent ca-certificates package on these CentOS 7 servers and I have verified that the DST Root CA X3 is not present in the trusted certificates list on the server. As a test I also blacklisted the ISRG Root X1 with fingerprint 6d99...c24f, but this certificate still appears in the ca-bundle file of my hostnames vhost when I renew the Lets Encrypt certificate.

    So I am still looking for another way I can prevent the ISRG Root X1 being added to ca-bundle the vhost.

    0
    Comment actions Permalink
  • Avatar
    Roman

    @Carlo, ive solved it by adding following lines to panel.ini (available as plesk extension aswell):

    [ext-letsencrypt]
    use-alternate-root = true

    1
    Comment actions Permalink
  • Avatar
    Carlo Vollebregt

    @Carlo, ive solved it by adding following lines to panel.ini (available as plesk extension aswell):

    [ext-letsencrypt]
    use-alternate-root = true

    Thanks Roman, this solved my problem as well!

     

     

    0
    Comment actions Permalink

Please sign in to leave a comment.

Have more questions? Submit a request