Voronenko · September 30, 2021 20:04
diff --git a/le_cert_problem_centos.txt b/le_cert_problem_centos.txt
 TL;DR — For TLS certificates issued by Let’s Encrypt, the root certificate (DST Root CA X3) in the default chain expires on September 30, 2021. Due to their unique approach, the expired certificate will continue to be part of the certificate chain till 2024. This affects OpenSSL 1.0.2k on RHEL/CentOS 7 servers, and will result in applications/tools failing to establish TLS/HTTPS connections with a certificate has expired message.
 As of 24/9/21, upgrading ca-certificates package (2021.2.50–72) should fix the issue. Version 2021.2.50–72 removes DST Root CA X3.
 As of 17/9/21, the only available solution is to blacklist the root certificate as follows,
 trust dump --filter "pkcs11:id=%c4%a7%b1%a4%7b%2c%71%fa%db%e1%4b%90%75%ff%c4%15%60%85%89%10" | openssl x509 | sudo tee /etc/pki/ca-trust/source/blacklist/DST-Root-CA-X3.pem
 sudo update-ca-trust extract
	TL;DR — For TLS certificates issued by Let’s Encrypt, the root certificate (DST Root CA X3) in the default chain expires on September 30, 2021. Due to their unique approach, the expired certificate will continue to be part of the certificate chain till 2024. This affects OpenSSL 1.0.2k on RHEL/CentOS 7 servers, and will result in applications/tools failing to establish TLS/HTTPS connections with a certificate has expired message.
	As of 24/9/21, upgrading ca-certificates package (2021.2.50–72) should fix the issue. Version 2021.2.50–72 removes DST Root CA X3.
	As of 17/9/21, the only available solution is to blacklist the root certificate as follows,
	trust dump --filter "pkcs11:id=%c4%a7%b1%a4%7b%2c%71%fa%db%e1%4b%90%75%ff%c4%15%60%85%89%10" \| openssl x509 \| sudo tee /etc/pki/ca-trust/source/blacklist/DST-Root-CA-X3.pem
	sudo update-ca-trust extract