Let’s Encrypt DST Root CA X3, Centos 7 and Virtualmin

ivanbg · September 23, 2021, 2:33pm

SYSTEM INFORMATION

OS type and version:	CentOS Linux 7.9.2009
Webmin version:	1.981
Virtualmin version:	6.17
Related products version:	RECOMMENDED

I am using Let’s Encrypt with certbot and Virtualmin to renew the TLS certificates of my domains.

DST Root CA X3 is expiring on September 30 2021 and can cause problems on old systems like centos 7 and OpenSSL 1.0.2.

I think, when we are renewing SSL certificate with Virtualmin we are using this command (I am not using the command line, only the GUI in Virtualmin):

certbot renew --dry-run --preferred-chain "ISRG Root X1".

But I’d like to be sure… (I haven’t really dug into this stuff, but I think if it is the case, we avoid the problem with DST Root CA X3).

Can there be any problems in Centos 7 and Virtualmin after September 30th for not deleting DST Root CA X3 from CentOS Trust certificates?

Thank you very much (sorry for my English).

References:

https://blog.devgenius.io/lets-encrypt-change-affects-openssl-1-0-x-and-centos-7-49bd66016af3#bd4c

https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/

https://www.openssl.org/blog/blog/2021/09/13/LetsEncryptRootCertExpire/

ivanbg · September 24, 2021, 8:11am

Hello,

CentOS has published an update package to solve the problem

An update to ca-certificates from 2020.2.41-70.0.el7_8 to 2021.2.50-72.el7_9 is needed.
This update has been successfully installed.

geocrasher · September 28, 2021, 1:09pm

Came here to check on this, and am glad I did. Here’s an easy fix:

rpm -qa | grep ca-certificates-2021.2.50-72.el7_9.noarch || yum update -y ca-certificates

system · November 27, 2021, 1:09pm

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.