Let’s Encrypt root certificate expired (urgent)

jtrench · October 1, 2021, 1:40pm

After the expiration of Let’s Encrypt root certificates, yesterday, there are many mail applications that can’t access to my box unless they accept the old certificate.

This box is still v.0.30 , so I don’t know if there is something I can do with this version and this Ubuntu.

There are 11 software packages that can be updated…

libapt-pkg4.12 (1.0.1ubuntu2.24)
apt (1.0.1ubuntu2.24)
libapt-inst1.5 (1.0.1ubuntu2.24)
apt-utils (1.0.1ubuntu2.24)
apt-transport-https (1.0.1ubuntu2.24)
ubuntu-release-upgrader-core (1:0.220.11)
python3-distupgrade (1:0.220.11)
grub-pc (2.02~beta2-9ubuntu1.17)
grub-pc-bin (2.02~beta2-9ubuntu1.17)
grub2-common (2.02~beta2-9ubuntu1.17)
grub-common (2.02~beta2-9ubuntu1.17)

…but nothing seems to be related to Let’s Encrypt.

I am also afraid that if I reboot… a big certificate problen could arise and make my server unavailable.

Any ideas?
Is there someone withe same problem?

Thank you In advance:
Jeremy

BTW:
Lots of info here about the certificate question: DST Root CA X3 expiry countdown - ISRG/Organizational - Let's Encrypt Community Support

JoshData · October 1, 2021, 2:59pm

If you have clients that can’t connect to your Mail-in-a-Box anymore, there are two ways you can probably handle this problem:

As described at DST Root CA X3 Expiration (September 2021) - Let's Encrypt, you can manually add ISRG Root X1 (listed at Chain of Trust - Let's Encrypt) to your client devices’s trusted root store, although I am not sure if ISRG Root X1 is compatible with all older devices.
You can provision your own SSL/TLS certificate that is compatible with your client devices and install it using the Mail-in-a-Box control panel.

jtrench · October 1, 2021, 4:32pm

Thank you, Josh:

So there is nothing I can do from the server? Even updating to v0.54?

Provisioning my own SSL/TLS certificate seems a little bit risky for me. Everything is so well done in MIAB that I am afraid of touching anything out of the standard procedures.

Does anyone know any tutorial or instructions to update a two years old Android ?

Thank you in advance:
Jeremy

JoshData · October 1, 2021, 5:25pm

It doesn’t really have anything to do with the server.

Provisioning my own SSL/TLS certificate seems a little bit risky for me.

Installing a certificate is actually pretty easy and safe. The only trick is I don’t know if other TLS certificate providers will have the same compatibility issues as Lets Encrypt. Probably the big names (Verisign, Comodo, GoDaddy) will provide certificates with the greatest compatibility. But I haven’t been tracking this issue closely.

openletter · October 2, 2021, 12:35am

You really should upgrade. The longer you wait, the worse it will be.

alento · October 2, 2021, 1:45pm

You really need to upgrade - seriously. I am available to perform this for you at my normal rate if so desired, in case your reason for not staying current has been lack of available time.

jtrench · October 14, 2021, 9:21am

Just in case someone needs it:

The problem arises even in new Android phones when using mail apps (like Edison Mail or Blackberry Hub for Android).

I´ve found the solution in Reddit: https://www.reddit.com/r/blackberry/comments/pyky4v/comment/heyju7t/?utm_source=share&utm_medium=web2x&context=3

Here is the solution:

Just to let you know. I encountered the same problem. I solved it by deactivating the old root certificate in Android settings manually.

Settings → Security & Location → Encryption & credentials → Trusted credentials

Search there in the system column for the Digital Signature Trust Co. (DST Root CA X3) expired certificate and deactivate it. Restart the Blackberry Hub and voila.

system · November 23, 2021, 9:21am

This topic was automatically closed 40 days after the last reply. New replies are no longer allowed.