As of September 30, 2021 as planned, the DST Root CA X3 cross-sign has expired. And old devices including servers under CentOS 6 are reporting broken chain or failed peer
ERROR: cannot verify example.net’s certificate, issued by “/C=US/O=Let's Encrypt/CN=R3”: Issued certificate has expired.
when trying to connect to a secure protocol protected by a Let's Encrypt certificate. And here is a quick solution for servers with DirectAdmin.
Here we have two sides:
If the first issue can be fixed by upgrading a system set of CA certificates from a repository of OS. Use apt/apt-get/yum/dnf for it, considering OS you run there.
For the second issue we need to replace CA certificate for every hosted web-site. And it might become not trivial for servers with 100+ domains. That's why Poralix's prepared a small script for an automation of the process.
The mentioned script can be found at GitHub by the link:
The script can be used for replacing CA-root certificate and re-generating *.combined sets:
for every domain which is protected by a certificate from Let's Encrypt.
In order to run the script you might use the following code (as root):
bash <(curl -Ss https://raw.githubusercontent.com/poralix/directadmin-utils/master/letsencrypt/fix_le_caroot.sh || wget -O - https://raw.githubusercontent.com/poralix/directadmin-utils/master/letsencrypt/fix_le_caroot.sh)