Login/Register
LetsEncrypt Certificate invalid/expired when seemingly not in PHPMailer, TLS, Openssl, file_get_contents, Sep 30 2021
Asked Answered
Solved phpopensslssl-certificatephpmailerlets-encrypt
P

2

4

I had a problem with PHPMailer suddenly saying my certificate had expired and refusing to connect properly to port 587 with TLS encryption, from Oct 1 2021.

Changing the ssl flags to not verify_peer and not verify_peer_name will temp fix the email issue.

$mail->SMTPOptions = array (
    'ssl' => array(
        'verify_peer'  => false,
        'verify_peer_name'  => false,
        'allow_self_signed' => true
        
    ));

But its not an ideal solution.

If I go to the same server via port 80 and web there is nothing wrong with the certificate.

If I connect with OpenSSL command line it says the certificate expired on Sep 30 2021.

This problem also appears under the php command file_get_contents.

NOTE: This issue is PHPMailer and email specific and provides good information about PHPMailer, it should not be closed. It has nothing to do with docker or the other question its associated with other than the cause and fix being similar.

Pruitt answered 2/10, 2021 at 1:3 Comment(0)
P
5

The issue here is a real expired authority cert embedded in the LetsEncrypt chain which really DID expire on Sep 30 2021.

From the openssl blog ... The currently recommended certificate chain as presented to Let’s Encrypt ACME clients when new certificates are issued contains an intermediate certificate (ISRG Root X1) that is signed by an old DST Root CA X3 certificate that expires on 2021-09-30. In some cases the OpenSSL 1.0.2 version will regard the certificates issued by the Let’s Encrypt CA as having an expired trust chain.

Read more here ... https://www.openssl.org/blog/blog/2021/09/13/LetsEncryptRootCertExpire/

It mainly affects OpenSSL 1.0.2. On my Mac with OpenSSL 1.1.1 I did not have the issue.

CentOS, and I'm sure others have provided fixes to this issue ...

Backup

cp -i /etc/pki/tls/certs/ca-bundle.crt ~/ca-bundle.crt-backup

Add certificate to blacklist directory

trust dump --filter "pkcs11:id=%c4%a7%b1%a4%7b%2c%71%fa%db%e1%4b%90%75%ff%c4%15%60%85%89%10" | openssl x509 | sudo tee /etc/pki/ca-trust/source/blacklist/DST-Root-CA-X3.pem

Update root store

sudo update-ca-trust extract

Verify removal

diff ~/ca-bundle.crt-backup /etc/pki/tls/certs/ca-bundle.crt

The CentOS specific steps above are from this post ... https://blog.devgenius.io/rhel-centos-7-fix-for-lets-encrypt-change-8af2de587fe4#:~:text=So%2C%20DST%20Root%20CA%20X3%20needs%20to%20be,The%20manual%20steps%20below%20are%20no%20longer%20necessary.

This is quite a crazy issue that appeared out of nowhere (unless you follow the openSSL blog)

Took me approx 1 day to track down, all the while no emails are being sent and large pieces of the web site not appearing.

Hope this points people in the right direction.

UPDATE: As pointed out by @hakre you may be able to get away with just ...

yum upgrade ca-certificates
Pruitt answered 2/10, 2021 at 1:3 Comment(4)
For Centos 7: "As of 24/9/21, upgrading ca-certificates package (2021.2.50–72) should fix the issue. Version 2021.2.50–72 removes DST Root CA X3." - the manual steps can be skipped, just upgrading the ca-certificates package suffices.Eastern
@Eastern I also have just noticed that my Goacces wss socket using the certs is still giving an error on Safari but not on Firefox. What could be the problem with that ?Pruitt
Please i am having same problem on Apache, Ubuntu 18.0 on digitalocean. Any remedy?Grane
I followed @Eastern answer and it worked for me! You are a hero!Toxicity
G
1

Simply edit the fullchain.pem file and remove the last certificate. - if using an OS different to the accepted answer

Grane answered 3/11, 2021 at 8:3 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.