How do I resolve a certificate expiration error for the Let's Encrypt certificate on my Amazon EC2 instance?

Short description

If your Let's Encrypt cross-signed DST Root CA X3 certificate expired, then you receive an expired certificate error. To resolve this issue, upgrade the package for your operating system (OS).

For compatibility purposes, Let's Encrypt certificates use a certificate chain that's cross-signed by the DST Root CA X3 certificate that expired on September 30th, 2021. OpenSSL 1.0.2 prefers the untrusted chain. This means that the OpenSSL certification validation process sees the expired certificate and distrusts the entire chain as expired. Servers with OpenSSL 1.0.2 and the DST Root CA X3 certificate in their root store can't issue or renew Let's Encrypt certificates. Affected servers also can't access the servers that use the Let's Encrypt certificates.

EC2 instances that run the following OS might encounter issues with Let's Encrypt certificates:

• CentOS and Red Hat Enterprise Linux (RHEL) 7 or lower
• Amazon Linux 1 (AL1) and Amazon Linux 2 (AL2)
• Ubuntu 16.04 or lower
• Debian 8 or lower

Resolution

Update the package in Ubuntu

For Ubuntu 16.04, update OpenSSL to version 1.0.2g-1ubuntu4.20 or later. For more information, see Expiring trust anchor compatibility issue on the Launchpad website.

Note: Ubuntu versions earlier than 16.04 are at end of life. Ubuntu doesn't support these versions, even if manual intervention is possible.

Update the package in AL1 or AL2

For AL1 or AL2, you can relaunch the instance to automatically apply the updated ca-certificate package.

To update an existing instance, run the following command to update the ca-certificates:

sudo yum update ca-certificates

If you use an Amazon Machine Image (AMI) with a locked repository GUID, such as AWS Elastic Beanstalk, then you must install an updated ca-certificates package. Run one of the following commands based on your Amazon Linux version.

AL1:

sudo yum install https://cdn.amazonlinux.com/patch/ca-certificates-update-2021-09-30/ca-certificates-2018.2.22-65.1.24.amzn1.noarch.rpm

AL2:

sudo yum install https://cdn.amazonlinux.com/patch/ca-certificates-update-2021-09-30/ca-certificates-2021.2.50-72.amzn2.0.1.noarch.rpm

It's a best practice to use the yum command to update existing instances. However, to modify the system in place, run one of the following commands:

AL1:

sudo sed -i'' '/Alias: DST Root CA X3/,/No Rejected Uses./d' /usr/share/pki/ca-trust-source/ca-bundle.trust.crtsudo update-ca-trust

AL2:

sudo sed -i'' '/DST Root CA X3/,/\[p11-kit-object-v1\]/d' /usr/share/pki/ca-trust-source/ca-bundle.trust.p11-kit sudo update-ca-trust

Update the package in RHEL or CentOS

For RHEL 7 and CentOS 7, update the ca-certificates package to 2021.2.50-72.el7_9 or later. For instructions, see How do I apply package updates to my RHEL system? on the Red Hat website.

If you still encounter issues in your RHEL instance after you upgrade, then you must manually block the DST Root CA X3 certificate. Complete the following steps:

1. Run the following command to back up the existing root store:

   cp -i /etc/pki/tls/certs/ca-bundle.crt ~/ca-bundle.crt-backup

2. Run the following command to add the certificate to the deny list directory:

   trust dump --filter "pkcs11:id=%c4%a7%b1%a4%7b%2c%71%fa%db%e1%4b%90%75%ff%c4%15%60%85%89%10" | openssl x509 | sudo tee /etc/pki/ca-trust/source/blacklist/DST-Root-CA-X3.pem

3. Run the following command to update the root store:

   sudo update-ca-trust extract

4. Run the following command to verify that you removed the certificate:

   diff ~/ca-bundle.crt-backup /etc/pki/tls/certs/ca-bundle.crt

Related information

Extending Android device compatibility for Let's Encrypt certificates on the Let's Encrypt website