Let's Encrypt: Chain of trust is NOT ok, expired.

As of September 30, 2021 as planned, the DST Root CA X3 cross-sign has expired. And old devices including servers under CentOS 6 are reporting broken chain or failed peer 

ERROR: cannot verify example.net’s certificate, issued by “/C=US/O=Let's Encrypt/CN=R3”: Issued certificate has expired.

when trying to connect to a secure protocol protected by a Let's Encrypt certificate. And here is a quick solution for servers with DirectAdmin.

Here we have two sides:

• server's side storage of CA certificates
• web-sites with expired CA certificates 

If the first issue can be fixed by upgrading a system set of CA certificates from a repository of OS. Use apt/apt-get/yum/dnf for it, considering OS you run there.

For the second issue we need to replace CA certificate for every hosted web-site. And it might become not trivial for servers with 100+ domains. That's why Poralix's prepared a small script for an automation of the process.

The mentioned script can be found at GitHub by the link:

• https://github.com/poralix/directadmin-utils/blob/master/letsencrypt/fix_le_caroot.sh
  

The script can be used for replacing CA-root certificate and re-generating *.combined sets:

• /usr/local/directadmin/data/users/${USER}/domains/${DOM}.cacert
• /usr/local/directadmin/data/users/${USER}/domains/${DOM}.cert.combined

for every domain which is protected by a certificate from Let's Encrypt.

In order to run the script you might use the following code (as root):

bash <(curl -Ss https://raw.githubusercontent.com/poralix/directadmin-utils/master/letsencrypt/fix_le_caroot.sh || wget -O - https://raw.githubusercontent.com/poralix/directadmin-utils/master/letsencrypt/fix_le_caroot.sh)

That's it.