With the expiration of the Let’s Encrypt root certificate, IdentTrust DST Root CA X3, on September 30, 2021, Ubuntu 14.04 certbot renewals broke. The latest supported version of certbot on Ubuntu 14.04 is 0.22, far behind the latest version. According to https://wiki.ubuntu.com/Releases, Ubuntu 14.04 ran out of standard support in April of 2019. While end of life is not until April 2024, it is recommended to upgrade as soon as possible due to unsupported software packages, potential security holes, and the cause of this issue, an outdate certificate truststore.
certbot breakage
What caused certbot automated renewals to break after the IdentTrust DST Root CA X3 expiration? certbot could no longer form a valid chain to the Let’s encrypt root at https://acme-v02.api.letsencrypt.org/ when making the API call for renewal. The error returned was the following:
("bad handshake: Error([('SSL routines', 'ssl3_get_server_certificate', 'certificate verify failed')],)",)Older Ubuntu versions such as 14.04 do not have the newest Let’s Encrypt root. It’s common name is ISRG Root X1 and must be trusted by the OS for certificate renewals to work with certbot. To trust the ISRG Root X1 on older versions of Ubuntu, perform the following actions:
- Download the ISRG Root X1 certificate from the Let’s Encrypt website.
- Copy the downloaded root to /usr/local/share/ca-certificates on the server. Make sure the certificate is in PEM format with the .crt extension, else the following command will not pick it up.
- Run
update-ca-certificatesto reload the truststore and pick up the new root certificate. - Run
certbot renewto kick off the renewal on Ubuntu 14.04.
Having added the new Let’s Encrypt root certificate to the trusted certs on Ubuntu 14.04, you will have a working certbot on Ubuntu 14.04. Note that this only recommended to be a temporary fix until you are able to upgrade to the latest version of Ubuntu.
certbot renewal –dry-run error
After fixing the certificate verification error by trusting the new Let’s Encrypt root, you may encounter the following error if testing the certbot renewal with --dry-run:
Attempting to renew cert (mydomain.com) from /etc/letsencrypt/renewal/mydomain.com.conf produced an unexpected error: urn:ietf:params:acme:error:malformed :: The request message was malformed :: Method not allowed. Skipping. All renewal attempts failed. The following certs could not be renewed: /etc/letsencrypt/live/mydomain.com/fullchain.pem (failure)This error message occurs because the --dry-run feature is broken with certbot 0.22 and earlier. Yet another reason to prioritize upgrading Ubuntu to the latest version.
Remove expired Let’s Encrypt root from Ubuntu 14.04
A best practice would be to remove the expired DST Root CA X3 root certificate from the OS truststore at /usr/local/share/ca-certificates. This is an optional step as the OS and certbot client should be able to construct the path to the newly installed Let’s Encrypt root, but we recommend doing it anyways. After deleting the .crt file from the ca-certificates directory, again run update-ca-certificates to reload the truststore without the expired root.
Conclusion
To fix the certbot renewal of Let’s Encrypt certificates on older versions of Ubuntu such as 14.04, you simply need to trust the new Let’s Encrypt certificate in the OS trust store, located at /usr/local/share/ca-certificates.
Thanks for explaining this plainly and clearly. This fix works on Ubuntu 16.04 as well.