Today (with currently only 15 minutes to go) it’s nearly time for the Digital Signature Trust Co., DST Root CA X3 certificate DST_Root_CA_X3.pem to expire:

$ openssl x509 -enddate -noout -in /etc/ssl/certs/DST_Root_CA_X3.pem
notAfter=Sep 30 14:01:15 2021 GMT

This was the root certificate that Lets Encrypt used to sign their certificates with, but since 2015 Let’s Encrypt have their own new root certificate ISRG Root X1 (see below if you need to install this on your Ubuntu 14.04 box) and are signing with this instead. This normally wouldn’t be a problem were it not for legacy clients that can’t receive the new root certificate and will continue to use the expired one.

In my case, the legacy clients are binaries built and linked against older 1.0.2 versions of openssl. I’m using the Workaround 1 method suggested on openssl.org/blog/blog/2021/09/13/LetsEncryptRootCertExpire:

Just remove the expired root certificate (DST Root CA X3) from the trust store used by the OpenSSL 1.0.2 TLS client to verify the identity of TLS servers. If the new ISRG Root X1 self-signed certificate isn’t already in the trust store, add it.

There is no downside to this workaround apart from the need to modify all the potential OpenSSL 1.0.2 TLS client hosts trust stores.

But as they point out “The removal and addition of certificates from/into the system certificate trust stores is a highly specific operation depending on the operation system”.

In my case on an old Ubuntu 14 LTS server, I did it like this:

sudo sed -i"" 's/mozilla\/DST_Root_CA_X3.crt/!mozilla\/DST_Root_CA_X3.crt/' /etc/ca-certificates.conf
sudo dpkg-reconfigure -fnoninteractive ca-certificates
sudo update-ca-certificates

And there’s no longer a /etc/ssl/certs/DST_Root_CA_X3.pem file present. But I do still have the newer ISRG Root X1 certificate, which expires in 2035;

$ openssl x509 -enddate -noout -in /etc/ssl/certs/ISRG_Root_X1.pem
notAfter=Jun  4 11:04:38 2035 GMT

Installing the ISRG Root X1 on Ubuntu 14.04

If you don’t have the ISRG Root X1 certificate, you can do it from the latest stable source certificates (requires you to have a working wget and unxz or at least a way of getting the uncompressed .tar file onto your target machine):

# Also available at https://askubuntu.com/a/1366719/233579
mkdir -p ~/src
cd ~/src
wget https://launchpad.net/ubuntu/+archive/primary/+sourcefiles/ca-certificates/20210119~20.04.2/ca-certificates_20210119~20.04.2.tar.xz
unxz ca-certificates_20210119~20.04.2.tar.xz
tar -xf ca-certificates_20210119~20.04.2.tar
cd ca-certificates-20210119~20.04.1
make
sudo make install
sudo dpkg-reconfigure -fnoninteractive ca-certificates
sudo update-ca-certificates