Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    HEADS UP: DST Root CA X3 Expiration (September 2021)

    Scheduled Pinned Locked Moved ACME
    31 Posts 12 Posters 10.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • VioletDragonV
      VioletDragon @JeGr
      last edited by

      @jegr Firefox seems to handle it differently. I've noticed that it only happens when signed into a Firefox account so not sure if the account saves the cache but it's a strange one.

      1 Reply Last reply Reply Quote 0
      • M
        marcosm Netgate
        last edited by

        The browsers / Windows have their own trusted root CAs. I expect that once the old ones expire/get removed/revoked from those built-in stores, the new chain will take precedence and show correctly.

        1 Reply Last reply Reply Quote 0
        • S
          sergio.londono
          last edited by

          for testing while the SSL expire, We did:

          Delete the expiring Root CA from the client browser.
          image2021-9-19_12-25-44.png

          Then, Open private browser:
          image2021-9-19_12-26-3.png

          VioletDragonV 1 Reply Last reply Reply Quote 2
          • VioletDragonV
            VioletDragon @sergio.londono
            last edited by

            @sergio-londono That's solved the problem, Cheers :)

            1 Reply Last reply Reply Quote 1
            • M
              maverick_slo
              last edited by

              Hi all.
              We use pfsense 2.4.4 version.
              I did all the steps and all looks ok.

              However reading about openssl, will acme (or any other thing) have issues when renewing certs? Like acme accessing le api which use le cert naturally?

              If so, is there a way to fix it as we are unable to upgrade.

              Thanks.

              VioletDragonV 1 Reply Last reply Reply Quote 0
              • VioletDragonV
                VioletDragon @maverick_slo
                last edited by

                @maverick_slo why such a old version of pfsense? I would recommend updating.

                johnpozJ 1 Reply Last reply Reply Quote 0
                • johnpozJ
                  johnpoz LAYER 8 Global Moderator @VioletDragon
                  last edited by

                  @violetdragon said in HEADS UP: DST Root CA X3 Expiration (September 2021):

                  I would recommend updating.

                  While I would too - but I also have some units still on 2.4.4p3 - covid being the reason, with nobody on site.. And I can not go in - can not risk it. They might have to stay on that version until things really get back to normal. And I can be onside for update, and other remote sites have people there that can be my smart hands if things go belly up. Things normally go fine - but just not something can risk at this time. Maybe he is in the same sort of boat.. I hope he meant p3, this was the latest version before covid became a factor..

                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                  If you get confused: Listen to the Music Play
                  Please don't Chat/PM me for help, unless mod related
                  SG-4860 24.11 | Lab VMs 2.8, 24.11

                  VioletDragonV 1 Reply Last reply Reply Quote 1
                  • VioletDragonV
                    VioletDragon @johnpoz
                    last edited by

                    @johnpoz that makes sense. I have worked with people that neglects updating or just too lazy to do updates. Certs should be fine providing you have done the fix in this thread. Openssl has been updated since. You can try doing a dry run to see if it fetched a fake Cert if it does then you will be fine until you can update.

                    johnpozJ 1 Reply Last reply Reply Quote 0
                    • johnpozJ
                      johnpoz LAYER 8 Global Moderator @VioletDragon
                      last edited by

                      @violetdragon I hear ya - you should always be current completely agree 110% Its kind of eating at me that they are not current ;)

                      But these are different times for sure.. Before this I would of pulled the trigger on a sunday evening from home on the update, even if version just came out on saturday ;) Because I knew I could just go in bit early monday if it went belly up..

                      So I am currently more willing to give some people slack on the update.. But yeah stay current I am with ya.

                      An intelligent man is sometimes forced to be drunk to spend time with his fools
                      If you get confused: Listen to the Music Play
                      Please don't Chat/PM me for help, unless mod related
                      SG-4860 24.11 | Lab VMs 2.8, 24.11

                      VioletDragonV 1 Reply Last reply Reply Quote 0
                      • VioletDragonV
                        VioletDragon @johnpoz
                        last edited by

                        Just thought i'd put this out there, you can verify your SSL Cert by using the following.

                        Tests using TLS 1.3
                        openssl s_client -connect yourdomain.com:443 -tls1_3  
                        
                        Tests using TLS 1.2
                        openssl s_client -connect yourdomain.com:443 -tls1_2 
                        
                        
                        1 Reply Last reply Reply Quote 0
                        • M
                          maverick_slo
                          last edited by

                          My certs are fine πŸ™‚
                          My question was actually if acme will have issues obtaining NEW certs from today onwards.

                          GertjanG JeGrJ 2 Replies Last reply Reply Quote 0
                          • GertjanG
                            Gertjan @maverick_slo
                            last edited by

                            @maverick_slo

                            Noop.
                            Letenscrypt uses the new intermediate and root certificate to sign yours.
                            'We' have to do ... nothing.

                            No "help me" PM's please. Use the forum, the community will thank you.
                            Edit : and where are the logs ??

                            1 Reply Last reply Reply Quote 0
                            • jimpJ
                              jimp Rebel Alliance Developer Netgate
                              last edited by

                              @maverick_slo said in HEADS UP: DST Root CA X3 Expiration (September 2021):

                              My certs are fine πŸ™‚
                              My question was actually if acme will have issues obtaining NEW certs from today onwards.

                              As long as the ACME package is renewing certs with ACME v2 you're fine. Not all of the older versions of the ACME package support that, but if that was a problem, it would have been failing for the last few months already. That's unrelated to this intermediate expiring.

                              I've even copied (edited) ACME package files from a current package version back to a 2.3.x install and it renewed a cert fine there with ACME v2 and got the correct intermediate after I cleared out the old one.

                              Remember: Upvote with the πŸ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

                              Need help fast? Netgate Global Support!

                              Do not Chat/PM for help!

                              1 Reply Last reply Reply Quote 0
                              • JeGrJ
                                JeGr LAYER 8 Moderator @maverick_slo
                                last edited by

                                @maverick_slo said in HEADS UP: DST Root CA X3 Expiration (September 2021):

                                My question was actually if acme will have issues obtaining NEW certs from today onwards.

                                Acme didn't have problems in the first place. It assigned new Intermediates back like at the start of the year as the revocation was known well in advance. I have systems I haven't touched in over a year that run completely autonomous with acme.sh or certbot (or other LE clients) without a hitch. It's only when local certificate stores or wrong CA chains from the OS etc. mixed with "unable to (auto) update thing" come into play that things go wrong ;)

                                Don't forget to upvote πŸ‘ those who kindly offered their time and brainpower to help you!

                                If you're interested, I'm available to discuss details of German-speaking paid support (for companies) if needed.

                                1 Reply Last reply Reply Quote 1
                                • F
                                  Flemmingss @jimp
                                  last edited by

                                  @jimp

                                  This one worked for me 😊
                                  Now iOS devices get valid certificates
                                  efbdd3d8-1552-4b36-a011-3847452d8d1b-image.png

                                  M 1 Reply Last reply Reply Quote 0
                                  • M
                                    mcury @Flemmingss
                                    last edited by mcury

                                    It seems that this problem is affecting Plex.. It appears to be solved now, but some old devices won't be able to connect through secure connections anymore..

                                    https://forums.plex.tv/t/important-information-about-plex-for-smart-tvs-after-september-30-2021/746506

                                    dead on arrival, nowhere to be found.

                                    DaddyGoD 1 Reply Last reply Reply Quote 0
                                    • DaddyGoD
                                      DaddyGo @mcury
                                      last edited by

                                      @mcury said in HEADS UP: DST Root CA X3 Expiration (September 2021):

                                      It seems that this problem is affecting Plex..

                                      Nope, not only Bro., it also affected our NextCloud servers too πŸ˜‰

                                      PS:

                                      (Are you all right?
                                      if you have time, we could talk this weekend, long time since I heard the new news from BR)

                                      Cats bury it so they can't see it!
                                      (You know what I mean if you have a cat)

                                      M VioletDragonV 2 Replies Last reply Reply Quote 0
                                      • M
                                        mcury @DaddyGo
                                        last edited by

                                        Oh, didn't know about NextCloud servers..

                                        I'm all right, thanks for asking, and how about you?

                                        I'll be traveling to Buzios/RJ this weekend, going to the beach hehe
                                        I'll be back on Sunday night, I'll send you a message to give you some news about here, hope everything is better for you guys there in Portugal too =)

                                        dead on arrival, nowhere to be found.

                                        1 Reply Last reply Reply Quote 0
                                        • VioletDragonV
                                          VioletDragon @DaddyGo
                                          last edited by

                                          @daddygo How exactly do you have SSL Configured on NextCloud? on the Server itself using Acme or Lets Encrypt or with Haproxy? It was only the SSL Certs that were affected on pfSense but for Postfix and Dovecot Certs are all fine thats with Certbot.

                                          J 1 Reply Last reply Reply Quote 0
                                          • jimpJ jimp unpinned this topic on
                                          • jimpJ jimp pinned this topic on
                                          • jimpJ jimp locked this topic on
                                          • jimpJ
                                            jimp Rebel Alliance Developer Netgate
                                            last edited by jimp

                                            This thread was only for the expiring CA from Let's Encrypt with the ACME package. It is not for issues accessing things as a client.

                                            If you are using outdated versions of pfSense or other clients without a current set of up-to-date root certificates, read and post in one of the existing threads in the General pfSense Questions category for that specific use case.

                                            Remember: Upvote with the πŸ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

                                            Need help fast? Netgate Global Support!

                                            Do not Chat/PM for help!

                                            1 Reply Last reply Reply Quote 0
                                            • johnpozJ johnpoz referenced this topic on
                                            • johnpozJ johnpoz referenced this topic on
                                            • jimpJ jimp unpinned this topic on
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.