If you are reading this article, this means, you have encountered an issue where it says “SSL certificate problem: certificate has expired” in your applications connecting other third-party APIs or systems.
You might have received a warning or error while connecting to our system when reaching the connection with HTTPS. We will cover a quick fix on outdated systems with a fix for this issue.
What is the reason for the SSL errors?
The error is caused due to the expired “DST Root CA X3 in your system”. This is mainly affected if you are using old versions of the (mainly Linux kernel versions, but not only limited to) without any updates for your root certificate chains.
On September 30th 2021, the issuer of this certificate LetsEncrypt has decided to expire the above certificate on the root chain. If your DevOps team haven’t followed any updates or made any changes to the system, the SSL root chains will reject the APIs accessing the service after this date.
This is affecting all the older versions of the system worldwide which hasn’t gone through any certificate update process, especially, Ubuntu 14.04 and Ubuntu 16.04.
The problem is not Let’s Encrypt having a bad or unsupported certificate chain. It’s broken software on the client end that’s applying the rules for validating certificate chains incorrectly. – a user noted on superuser
You can read more about the announcement from LetsEncrypt here.
How to fix this issue?
Ubuntu flavour
- Run the following command to reconfigure ca-certificates.
sudo dpkg-reconfigure ca-certificates - This will bring up a screen as below. Please press the yes button to continue to the next screen.
- Navigate to the next screen, then using the arrow keys, scroll down to the line where it says “mozilla/DST_Root_CA_X3.crt“
- Press the space key to deselect this, so the star icon near this will be removed. Please refer to the below image.
- Then click ok by pressing the enter button, this will reconfigure your ca-certificate and remove the old one which is expired.
Other flavours
Please google fix for “DST_Root_CA_X3″ since this is affected on many older systems and you can easily find the fix for your OS. Some of the fixes are mentioned in these threads.
How can I prevent this in future?
Make sure that you are using the latest version of the software and follow the security patches if any suggested by your DevOps team.
The certificate expired message on postman
If you are using Postman to test our APIs, make sure that you are updated on the latest version.
They have already released a patch covering the old certificates as seen here.