Problems with Lets Encrypt September 30

I’ve got a problem with Let’s Encrypt root certificate from September 30th
I thought I had fixed it but that’s not the case.
I’m running Virtualmin 6.08 on a CentOs 6.10 (old one I know) and I don’t know what to do to make my SSL HTTPS site work. I have tried to change the Root Certificates of each site to ISRG Root X1 but it doesn’t change anything and when I ask for Let’s Encrypt renewal, it will change my Root Certificate back to the bad one.
What can I do ? thanks

You need to upgrade to a supported version of your OS. That’s not really optional for a world-facing server.

But, you can also see my replies in this very long thread for lots of explanation about what’s going on with old EOL Linux clients, and how you can work around it (but it’s going to be a challenge to get the current certbot version installed on CentOS 6, maybe not even possible, I dunno, haven’t tried in a long time). present bad and expired certificates · Issue #1533 · webmin/webmin · GitHub

I would recommend you ignore everyone in that thread except my comments (swelljoe), because everybody else is still trying to figure out what’s going on as the thread progresses, and they’re all consistently misunderstanding the problem and possible solutions pretty much throughout the whole thread. It’ll just confuse you to read everybody else in the thread, including Jamie who is usually smarter than all of us.

But, you also need to understand what the problem is better. Your server being old has no bearing on the way Let’s Encrypt signs certs. It issues a cert signed with an expired cross-signed cert, by default, no matter what your OS is.

In short:

  1. You can make your old CentOS 6 server able to connect to servers using certs signed by that R3 cross-signed cert, by deleting the DST Root CA X3 cert from your local CA cert bundle (how to do that on CentOS is an exercise for the reader), and make sure you have the new one (ISRG Root X1) in your trust bundle. The new one can be downloaded from the LE site if you don’t already have it.
  2. You can make very new versions of certbot (but almost no other ACME clients) request a different chain using the --preferred-chain option (check that ticket I linked for the exact details. acme_tiny as bundled with Webmin and used on CentOS 6 (because installing certbot on CentOS 6 is extreme) cannot use this option. So…you may not be able to get there from here with such an old OS.
1 Like

Hello Joe,
thanks for such a detailed answer.
I have understood that my server is too old and I need to migrate :slight_smile:
I have just ordered a brand new Ubuntu and try to migrate everything from the very old one to the brand new one and it’s not easy. You’ll see other threads about the issues I have.
Thanks for your help !

I don’t generally make recommendations about which of our supported distros to choose, but moving from one CentOS version to another CentOS version is much easier than moving to another distro entirely.

Oh yes I understand and I have thought about it but i’m afraid I could have to change again because of CentOS 8 end of life … I think it is not recommended to rely on CentOS right now isn’t it ?
For the moment it seems difficult but the most difficult issues are to migrate very old Wordpress to work with php 7.4 and mysql 8 :slight_smile:

No. I still recommend CentOS 8 for people who prefer RPM based distros, and for people already using CentOS. Where’d you get the idea it is not recommended? I’ve been very emphatic that it is still the recommended distro and version for people already using CentOS, I think (and it is still the distro and version I put on my new servers, I’m not just telling others to do this…it’s what I’m doing).

There are multiple easy migration paths (at least Alma and Rocky have conversion processes that only take a few minutes) for when CentOS 8 reaches EOL and goes to Stream only.

Sorry I was probably in a hurry for changing … I had read the quick end of support of CentOS 8 but not the fact there were easy solutions to keep on working with it.
Well, I think I have migrated enough domains now from my CentOS 6 to stay on this Ubuntu for the moment.
Thanks again for your help. I wish I had asked before. Now time to work on old Wordpress and PHP 7

This topic was automatically closed 8 days after the last reply. New replies are no longer allowed.