Applicable to:
- Plesk for Linux
- Plesk for Windows
Symptoms
-
After September 30, 2021, when accessing websites hosted on a Plesk and secured with Let's Encrypt certificates, the error ERR_CERT_AUTHORITY_INVALID is shown.
-
The certificate DST Root CA X3 is shown in the certificate chain (Padlock icon in address bar > Certificate > Certification Path):
Sample screenshots
Cause
DST Root CA X3 root certificate expired on September 30, 2021 at 14:01:15 GMT. It affects outdated client operating systems, including the following ones:
- Windows < XP SP3
- Windows 7 (without the specific root certificates update installed).
- macOS < 10.12.1
- iOS < 10
- Android < 7.1.1 (but >= 2.3.6 will work if served ISRG Root X1 cross-sign)
- Ubuntu < 16.04
- Debian < 8
Resolution
To resolve the issue, install the latest updates for the computer / mobile device (Windows, macOS, Android, iOS, etc.) that is used for accessing websites.
Install the latest OS updates and reboot the server to refresh root certificates cache.
If a Linux server is used and it is up-to-date, no actions are required.
On outdated Linux operating systems, it may be required to apply the steps below:
-
Connect to the server using SSH.
-
Open the file
/etc/ca-certificates.conf
for editing. -
Comment out the line
mozilla/DST_Root_CA_X3.crt
by putting the symbol!
to the beginning of the line and save the file. -
Execute the below command:
# update-ca-certificates
Starting from January 2021, Plesk issues Let's Encrypt certificates using ISRG Root X1.
On Windows, check that Turn off Automatic Root Certificates Update option is disabled in Local Group Policy Editor under Local Computer Policy > Computer Configuration > Administrative Templates > System > Internet Communication > Internet Communication settings. If it is enabled, disable it, install Windows updates and reboot the server.
If an alternative root was enabled in panel.ini
configuration file before:
-
Connect to the server via SSH/RDP.
-
Remove the following line from
panel.ini
configuration file:use-alternate-root = true
-
Reissue Let's Encrypt certificates for the affected domains.
Comments
39 comments
When you reissue the cert, it already fixes the issue. What is the point of this article? Totally useless for now. How could we bulk reissue the certs?
Mehmet Tahta Hi, to bulk-reissue the certs, add the following to panel.ini, run the "Extension letsencrypt" keep-secured.php. under Tools & Settings > Scheduled Tasks (Cron jobs) and remove the directives once the task is finished:
When we reissue an SSL on Windows it is not fixing the issue...if we have to reissue the SSLs are we not going to hit LE limits?
Jacob Colton Please note that the newly issued certificates use the new root cert, so the issue should be fixed from the client's side by updating the software. As for LE limits, they are applied per-domain, so renewing certificates for multiple domains does not affect these limits.
Please see ticket 315809 where we have provided evidence this is not the case.
Hi all,
My problem is that i use many curl, wget in bash scripts , or file_get_contents in PHP.
I can add params to each to deactivate certificate check, but it's not the better solution, and i have 20 servers with many websites on each ...
What can i do to correct this error ?
Thanks
P S : my servers are Ubuntu, from 12.04 and to 18.04
SSL is not working on window -7 from 01-10-2021 only working on window -10
When open website on window-7 then displaying error "Your connection to this site is not secure"
so please let me know how can i resolve this problem.
Hi Arvind Kumar,
For Windows 7, it seems that Microsoft has released an update for it to update the expired certificate.
DST Root CA X3 expiration on Windows7. Which update I need to install? Are there workarounds?
Please keep your operating systems up to date.
Did someone have an idea to correct this for curl / wget commands and for php file_get_contents function ?
Thanks
Hi Fabrice KIMMEL,
I'd bet you have to update the OS packages, to be more accurate it should be the ca-certificates package:
What is the use/purpose of the ca-certificates package?
Thanks Francisco,
Here's liste of what i tried :
Problem is always here ...
I'm waiting a reply from Plesk support, and i will try to make a dist-upgrade on an empty server (ubuntu 14.04) but i preferes use another solution,
Hi Fabrice KIMMEL,
No need to say that Ubuntu 14 is EOL already since years, so better to migrate to a newer operating system where this issue doesn't happen.
Anyway, if you prefer to take the risk and perform a distro upgrade, we have a guide: How to perform dist-upgrade procedure on Linux server with Plesk?
However, remember that no support is available for this old server. So up to you!.
I know the it is an old version, versions that i have goes from ubuntu 12 !! to ubuntu 20.
I'm ok to upgrade them, but clients says "why put my website offline for that ?? the website works fine !!" ... and i cant make it when client refused ...
I just tried to use a free zerossl certificate, and now my test site works with curl ...
Can be another solution ...
For Ubuntu 16/14 and 12 you can use the following solution.
Open "/etc/ca-certificates.conf" and comment this row: "mozilla/DST_Root_CA_X3.crt"
The ! is the comment character here.
Save the file and run update-ca-certificates
That should fix it.
I compiled this onliner to fix this:
For more information read:
https://medium.com/geekculture/will-you-be-impacted-by-letsencrypt-dst-root-ca-x3-expiration-d54a018df257
We have 5 Windows hosting servers, and are having this issue with hundreds of domains. I tried deleting the expired certificate so LetsEncrypt was forced to use the ISRG Root X1 certificate.
I thought this had worked, but the expired DST_Root certificate keeps coming back
Many thanks to you !!!!!
I tried this solution on 2 servers and curl works !!!!
Now here it is friday, 5pm, and i stop working at 6pm so i wait monday to deploy on all servers
I dont think it can create other problems but I prefer to be present in case something happens
Thanks for all Mik, and see you monday
For our specific case I managed to fix the client connection problems on the server side by manually removing the DST Root CA X3 from the certificate file of a vhost (note: this might not be the correct solution for all cases). But when I renew the certificate, the DST Root CA X3 is added again.
It seems that certbot has a 'preferred-chain' option, which I can use to force certbot to request a specific intermediate certificate:
sudo certbot renew --force-renewal --preferred-chain "ISRG Root X1"
I cannot find a 'preferred chain' option in the Plesk Lets Encrypt settings (https://docs.plesk.com/en-US/obsidian/administrator-guide/plesk-administration/managing-let%E2%80%99s-encrypt-settings.78586/).
Is there a possibility in Plesk to prevent the DST Root CA X3 being added to the certificate file of vhosts on the Plesk server?
Updated that certificate.conf and renewed the certificates like Rutger Mik posted.
When using the WordPress REST-API with Postman it still gives me the 'Certificate has Expired' notice.
---
Update: me being an idiot.. had to update Postman.
Same issue here... I must manually remove the X3-Certificate, but i cant do it every time for each client. How i can fix it in plesk/lets encrypt-extension?
Maybe restart apache / php services ? Maybe certificates file is read only when service start ?
Thx for your answer!
Im managing many Plesk-Servers and even the newest one (Ubuntu 20.04, installed 1 month ago, newest plesk) is having the same issue. Server/service reboot did nothing :\
I dont understand what im doing wrong... Ive got the same issue on Ubuntu 16.04, Centos 7...
I just had the same problem on another old server, the Mik command dont correct the problem.
Try to make a apt-get install ca-certificates to update the package, edit the file /etc/ca-certificates.conf, and search the line mozilla/DST_Root_CA_X3.crt.
If you dont have the "!" character on line start, close the file, retry Mik command, and recheck the conf file
Already done :\ "mozilla/DST_Root_CA_X3.crt" is deselected in this file on every damn server :D
Upgrade the package list (apt-get update) before the apt-get install ca-certificates
Have you errors like errors 404 when make the package list update ?
I was able to fix the issue using the following steps.
1. Comment the the line mozilla/DST_Root_CA_X3.crt in /etc/ca-certificates.conf.
2. Run the command "update-ca-certificates"
3. Renew the Lets Encrypt Certificate from Plesk Panel.
Many Thanks to Rutger and Fabrice.
@Everyone, thank you for the input, the article was updated accordingly
Anyone know how to do this on CentOS?
I don't have `/etc/ca-certificates.conf`
Try this folder /etc/pki/ca-trust/source/anchors
https://stackoverflow.com/questions/37043442/how-to-add-certificate-authority-file-in-centos-7
Thanks Fabrice, I've already checked there and it's an empty folder.
Just for the clarification,
Can you please tell me, is this issue is only with the LetsEncrypt SSL or with other SSL too?
Please sign in to leave a comment.