Note: Modifying server config files via SSH console is a complicated process and may break your site if not done perfectly. If you are not an SSH expert, We highly recommend upgrading to PRO version and let our premium support handle / help with this server setup.

Is your HTTPS site powered by Let’s Encrypt (Open certificate authority) SSL certificate showing INSECURE, “Your connection is not private”, “ERR_CERT_AUTHORITY_INVALID” or similar SSL issue all of a sudden since September 30, 2021?. This is due to recent expiration of DST cross-signed root certificate. Likewise, you are not alone as huge number of HTTPS sites using Let’s Encrypt are impacted by this expiration.

In our previous post, we explained how to resolve the SSL not trusted / root certificate expired issue for WordPress users and WP Encryption plugin users. Whereas, this guide is focused towards anyone using Let’s Encrypt SSL on their website using Apache, Nginx, Bitnami, Lightsail, Certbot or any server/platform.

Fixing root certificate expired issue on shared hosting platforms

If you are using SSL provided by AutoSSL or your shared hosting platform, all you need to do is just re-install the SSL certificate or re-run the autossl to fix the issue, hoping that almost all hosting platforms have updated the root certificate on their platform already. If that doesn’t resolve your issue, you could manually generate new SSL certificate and install it manually on your hosting platform with new active intermediate certificate (cabundle) provided at the bottom of this post.

If you manually generated Let’s Encrypt SSL certificate using WP Encryption WordPress plugin or with any other service which helps generate free Let’s Encrypt SSL certificate, simply re-installing the existing certificate & private key with the new intermediate certificate provided at the bottom of this post would resolve the issue. If you have updated to latest release v5.7.1 of WP Encryption plugin, the new intermediate certificate is already updated so you could easily re-generate fresh SSL certificate with correct root / intermediate or you could easily download / copy the new intermediate certificate to use from the “Download SSL Certificates” page of WP Encryption.

Fixing root certificate expired issue on AWS, Digital Ocean, Self managed server

Websites hosted on self managed servers with Apache, Nginx or Bitnami needs to follow a slightly different suit. Please modify your Apache / Nginx server config file via SSH console, check for file path of SSLCACertificateFile in case of Apache (which points to your intermediate certificate file) and ssl_certificate in case of Nginx (which points to a concatenated certificate + intermediate cert file).

Apache Server:-

Please update your intermediate cert file content with the new intermediate cert provided at the bottom of this article, save the file and restart apache server to fix the HTTPS issue.

Nginx Server:-

You will notice 2 cert blocks within your ssl_certificate file and you only need to replace the bottom one with the new intermediate cert provided at the bottom of this article. Once after updating, please save the server config file and restart nginx server once to fix the HTTPS issue.

Finally, the new rise of this SSL issue only requires updating of your intermediate certificate and you don’t really need to worry about your active certificate or key file.

Let’s Encrypt Active Intermediate Certificate to Use:

-----BEGIN CERTIFICATE-----
MIIFFjCCAv6gAwIBAgIRAJErCErPDBinU/bWLiWnX1owDQYJKoZIhvcNAQELBQAw
TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMjAwOTA0MDAwMDAw
WhcNMjUwOTE1MTYwMDAwWjAyMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg
RW5jcnlwdDELMAkGA1UEAxMCUjMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
AoIBAQC7AhUozPaglNMPEuyNVZLD+ILxmaZ6QoinXSaqtSu5xUyxr45r+XXIo9cP
R5QUVTVXjJ6oojkZ9YI8QqlObvU7wy7bjcCwXPNZOOftz2nwWgsbvsCUJCWH+jdx
sxPnHKzhm+/b5DtFUkWWqcFTzjTIUu61ru2P3mBw4qVUq7ZtDpelQDRrK9O8Zutm
NHz6a4uPVymZ+DAXXbpyb/uBxa3Shlg9F8fnCbvxK/eG3MHacV3URuPMrSXBiLxg
Z3Vms/EY96Jc5lP/Ooi2R6X/ExjqmAl3P51T+c8B5fWmcBcUr2Ok/5mzk53cU6cG
/kiFHaFpriV1uxPMUgP17VGhi9sVAgMBAAGjggEIMIIBBDAOBgNVHQ8BAf8EBAMC
AYYwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMBIGA1UdEwEB/wQIMAYB
Af8CAQAwHQYDVR0OBBYEFBQusxe3WFbLrlAJQOYfr52LFMLGMB8GA1UdIwQYMBaA
FHm0WeZ7tuXkAXOACIjIGlj26ZtuMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcw
AoYWaHR0cDovL3gxLmkubGVuY3Iub3JnLzAnBgNVHR8EIDAeMBygGqAYhhZodHRw
Oi8veDEuYy5sZW5jci5vcmcvMCIGA1UdIAQbMBkwCAYGZ4EMAQIBMA0GCysGAQQB
gt8TAQEBMA0GCSqGSIb3DQEBCwUAA4ICAQCFyk5HPqP3hUSFvNVneLKYY611TR6W
PTNlclQtgaDqw+34IL9fzLdwALduO/ZelN7kIJ+m74uyA+eitRY8kc607TkC53wl
ikfmZW4/RvTZ8M6UK+5UzhK8jCdLuMGYL6KvzXGRSgi3yLgjewQtCPkIVz6D2QQz
CkcheAmCJ8MqyJu5zlzyZMjAvnnAT45tRAxekrsu94sQ4egdRCnbWSDtY7kh+BIm
lJNXoB1lBMEKIq4QDUOXoRgffuDghje1WrG9ML+Hbisq/yFOGwXD9RiX8F6sw6W4
avAuvDszue5L3sz85K+EC4Y/wFVDNvZo4TYXao6Z0f+lQKc0t8DQYzk1OXVu8rp2
yJMC6alLbBfODALZvYH7n7do1AZls4I9d1P4jnkDrQoxB3UqQ9hVl3LEKQ73xF1O
yK5GhDDX8oVfGKF5u+decIsH4YaTw7mP3GFxJSqv3+0lUFJoi5Lc5da149p90Ids
hCExroL1+7mryIkXPeFM5TgO9r0rvZaBFOvV2z0gp35Z0+L4WPlbuEjN/lxPFin+
HlUjr8gRsI3qfJOQFy/9rKIJR0Y/8Omwt/8oTWgy1mdeHmmjk7j1nYsvC9JSQ6Zv
MldlTTKB3zhThV1+XWYp6rjd5JW1zbVWEkLNxE7GJThEUG3szgBVGP7pSWTUTsqX
nLRbwHOoq7hHwg==
-----END CERTIFICATE-----

Leave a Reply

Your email address will not be published. Required fields are marked *

Archive

Categories

Tags

AWS Bluehost browser chrome compatibility Digital Ocean ERR_TOO_MANY_REDIRECTS Hostgator HTTPS Linux Mapped Domains Multisite SSL webadmin WHM