Let’s Encrypt Root Certificate Expiring

On September 29th, 2021 the Let’s Encrypt R3 Root Certificate Expired.

Unfortunately, Microsoft’s IIS Web Server does not handle it well, handing out both the expired certificate as well as the newer cross-signed certificate.  There are several different ways to address the issue, dealing with deleting registry keys and rebooting the server or resetting IIS, but I have found the following process to work for resolving the issues that result in an ERR_CERT_AUTHORITY_INVALID client error AND does so with no downtime to the web sites.

First, use MMC to open to the certificate store on the server (Add Certificate snapin for computer account on local computer) and move the “DST Root CA X3” certificate with the expiration date of 9/30/2021 from “Trusted Root Certification Authorities” to “Untrusted Certificates”

Then, renew all of your certs.  Most likely you are using the Win-Acme client (WACS.EXE) so just tell it to force all renewals.

Then, double-check to make sure that an expired certificate isn’t included in the chain using SSL Labs ( https://www.ssllabs.com/ssltest/index.html )

You do not need to reboot the server.  You do not need to reset IIS.  You do not need to schedule downtime.

This entry was posted in Bits & Bytes. Bookmark the permalink.