How to remove expired Let's Encrypt cert (Debian)

Question

I am trying to remove the expired DST Root CA X3 Let's Encrypt SSL cert (expired yesterday) from a Debian server which is still appearing when I check in SSL Labs:

RSA 2048 bits (e 65537) / SHA1withRSA
Valid until: Thu, 30 Sep 2021 14:01:15 UTC
EXPIRED
Weak or insecure signature, but no impact on root certificate

I am still getting 'untrusted' message when some calls are made to the server and I believe it to the this which is the cause.

The above appears in the SSL Labs report under "Path #2: Not Trusted" and I'd like to remove it to see if this is the cause.

I have already done this:

Commented out DST Root CA X3 in /etc/ca-certificates.conf
Performed an update-ca-certificates (It said 1 removed)
Updated certbot and renewed the cert for the server.

But this is still appearing, how to remove it?

Thanks in advance.

Did you restart the web server? – Zoredache Oct 01 '21 at 19:01 — Zoredache, Oct 01 '21 at 19:01

score 0 · Answer 1 · answered Oct 02 '21 at 00:46

Your webserver delivers your SSL certificate and a certificate chain (optionally). Your webserver is *not sending the root certificate as only already installed root certificates are used/trusted on the client machine. The root certificates installed on your webserver make zero difference to the client browser.

This means your SSL certificate is referencing the root certificate thru the trust chain. The client is using its own locally installed root certificate.

Solution: Issue (request) and install a new SSL certificate and restart the webserver. This will remove the reference to the bad/expired/invalid root certificate.

score 0 · Answer 2 · answered Oct 06 '21 at 06:44

0

try this:

sudo dpkg-reconfigure ca-certificates

answered Oct 06 '21 at 06:44

Charlie

1
1

How to remove expired Let's Encrypt cert (Debian)

2 Answers2