The DST Root CA X3 certificate expired, leaving many devices on the internet having issues connecting to services and certificates that use this Root CA, including those using Letโs Encrypt certificates.
Some of these problematic devices include Samsung Galaxy phones, iPhones, VDI zero and thin clients, and even Sophos UTM firewalls.
The Problem
Letโs Encrypt originally used the โDST Root CA X3โ certificate to issue Letโs Encrypt certificates. However, as time has passed and the service has been used more, they now use โISRG Root X1โ and โISRG Root X2โ as Root CAโs and โLetโs Encrypt R3โ as an intermediate certificate.
Older devices may be using the older Root CA which expired today (September 30th, 2021). Please see https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/ for more information.
The Fix
To fix this issue, you need to add the 2 new Root CAs to your computer or device.
Root CA Certificates (PEM format):
Intermediate Certificate (PEM format):
You can download them by clicking the links above or go to https://letsencrypt.org/certificates/ for more information and to download if you donโt trust the above links.
After downloading and adding these Root CAs and the Intermediate CA to your computer or device, you should have the full certificate chain to validate the Letโs Encrypt certificates. You only need to add the two root certificates. The Letโs Encrypt certificates that are used on websites that you visit and that you might have deployed on your servers should now work without any issues.
*Steps to import PEM Certificates
Go to windows search, type “Internet Options”
Go to Contents > Certificates > Trusted Root Certification Authorities > Import > Browse > Select All Files on top of the “Open” and “Cancel” button > Select ISRG Root X1. Do the same steps for ISRG Root X2.
Source: www.stephenwagner.com
