Hello, I use a certbot to generate Let's Encrypt certs, and anvil to push and pull them around to various jails hosting websites. From the client-side, the certs work as expected--no validity or expiry issues. In Windows, I can inspect the certificate chain and see all is in order.
But locally, when I try to verify the certificate with OpenSSL, I get the dreaded:
I've read all about this. I know the Let's Encrypt root certificate complained of expired in 2021. But from my inspection from Windows, I confirm the expired certificate is NOT part of the cert chain found in mydomain.com.fullchain.cer. Somehow, OpenSSL is finding it on all my FreeBSD instances.
I read: https://forums.freebsd.org/threads/dst-root-ca-x3-certificate-has-expired.82364/. I followed SirDice's suggestions.
When I run
I get the expected output--no expired certs reported.
But when I verify my own certificates, OpenSSL continues to complain of expired DST Root CA X3.
The only file in /usr/local/share/certs is ca-root-nss.crt, current to January 2, 2023.
I have two hosts, running five jails that host web and mail services. The hosts and the jails all report the same problem. Even on my certbot jail openssl reports the problem.
I am at a loss and welcome any advice or direction you can offer.
Thanks
But locally, when I try to verify the certificate with OpenSSL, I get the dreaded:
Code:
# openssl verify -verbose -CAfile /usr/local/etc/ssl/mydomain.com.fullchain.cer /usr/local/etc/ssl/mydomain.com.cer
O = Digital Signature Trust Co., CN = DST Root CA X3
error 10 at 3 depth lookup: certificate has expired
error /usr/local/etc/ssl/dpglawyer.com.fullchain.cer: verification failed
I've read all about this. I know the Let's Encrypt root certificate complained of expired in 2021. But from my inspection from Windows, I confirm the expired certificate is NOT part of the cert chain found in mydomain.com.fullchain.cer. Somehow, OpenSSL is finding it on all my FreeBSD instances.
I read: https://forums.freebsd.org/threads/dst-root-ca-x3-certificate-has-expired.82364/. I followed SirDice's suggestions.
Code:
#freebsd-version
13.1-RELEASE-p5
# openssl version
OpenSSL 1.1.1o-freebsd 3 May 2022
#pkg -v
1.19.0
#rm /usr/local/etc/ssl/cert.pem
#pkg install -f ca_root_nss
#certctl rehash
#pkg info | grep ca_root_nss
ca_root_nss-3.86 Root certificate bundle from the Mozilla Project
When I run
Code:
#openssl s_client -showcerts -connect valid-isrgrootx1.letsencrypt.org:443
But when I verify my own certificates, OpenSSL continues to complain of expired DST Root CA X3.
The only file in /usr/local/share/certs is ca-root-nss.crt, current to January 2, 2023.
I have two hosts, running five jails that host web and mail services. The hosts and the jails all report the same problem. Even on my certbot jail openssl reports the problem.
I am at a loss and welcome any advice or direction you can offer.
Thanks
Last edited: