Certbot not renewing certs after Sept 30th

Discussion in 'Installation/Configuration' started by brainsys, Oct 15, 2021.

  1. brainsys

    brainsys Member

    If you are using (non-snap) Certbot you may have two weeks to fix this issue if renews after Sept 30th are failing. The problem is an expiring certificate in the Letsencrypt chain which causes openssl to fault. I have a little script that fortnightly checks all my site certificate expire and so had a little shock this morning.

    Good news is the fix is simple. This if you have Debian/Ubuntu:
    * nano /etc/ca-certificates.conf
    * change mozilla/DST_Root_CA_x3.crt to !mozilla/DST_Root_CA_x3.crt
    * save
    * run update-ca-certificates

    That's it. You can rsync your websites to refresh or just wait for the certbot to renew overnight. Thanks to Gaurang here:
  2. till

    till Super Moderator Staff Member ISPConfig Developer

  3. brainsys

    brainsys Member

    Sorry - that didn't show up in my Google searches.
  4. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    Note the server sends your certificate, generally with intermediate certificates, and without the trusted root, it is the client which fails to build the alternate trust chain to verify the certificate - so the actual issue you had and fixed was that of your fortnightly script.
    Gwyneth Llewelyn likes this.

Share This Page