Today out of a sudden all HTTPS requests, that my Ubuntu 14 server sends to websites with SSL certificates issued by Let's Encrypt, started to fail. The error produced by cURL is:
curl: (60) SSL certificate problem: certificate has expired
When I inspect the website certificates with this command:
echo -n | openssl s_client -showcerts -connect website.com:443 -servername website.com
I see that all the certificate chain is up to date.
So why do I get the expiration error? How to fix it?
The reason is that the "DST Root CA X3" certificate has expired yesterday.
To fix it, just disable the certificate on your server. Run:
sudo dpkg-reconfigure ca-certificates
On the first screen that prompts "Trust new certificates from certificate authorities?" choose "yes". On the next screen press the down arrow key on your keyboard until you find mozilla/DST_Root_CA_X3.crt, press the space bar to deselect it (the [*] should turn into [ ]) and press Enter.
Edit the file /etc/ca-certificates.conf
Find and comment with ! the line like this
!mozilla/DST_Root_CA_X3.crt
Save the file and update certificates with command
sudo update-ca-certificates
So why do I get the expiration error?
Android made a design decision to ignore the expiry on root certificates (it's arguable that expiry on root certificates doesn't make much sense in the first place).
"lets encrypt" is a relatively new CA and to support existing systems their root was "cross-signed"* by DST. The DST root certificate has now expired but because of the aforementioned android behavior a cross signature is still useful for supporting clients running old versions of andriod.
When such a chain is used on a system with a modern root certificate list the cross signature should be ignored and the IRSG (lets encrypt) root should be used. Unfortunately openssl 1.0.x does not handle this scenario correctly.
This issue can be worked around by removing the old DST root certificate. When this is done the chain will correctly be built to the IRSG root.
* My understanding is that technically the "cross signature" consists of an "intermediate certificate" with the same content and key as Lets Encrypt's root certificate.
