LetsEncrypt is my go-to SSL certificate provider, and all my projects and most of my customers' websites run on LetsEncrypt. The recent expiry of the DST Root X3 certificate caused some disruption which required my attention. One particular instance was a Ubuntu 12.04 server.

Server Details

• Operating System: Ubuntu 12.04
• OpenSSL: 1.0.1

Observations

Ubuntu 12.04 is old and it predates the ISRG_ROOT_X1 certificate and I had a feeling it wouldn't already be there and I was correct.

find /usr/share/ca-certificates -name "*ISRG*"

Instructions

Step 1: Ubuntu 12.04 passed its support window long ago and updating using apt is not an option. The client should have updated the system long ago. To update ca-certificates I used a deb file from the launchpad library (which I got from a friend) and installed it using dpkg.

sudo wget https://launchpadlibrarian.net/482351465/ca-certificates_20190110~12.04.1_all.deb
sudo dpkg -i ca-certificates_20190110~12.04.1_all.deb

Step 2: Open the certificate configuration file using your favourite editor. Mine is VIM.

sudo vim /etc/ca-certificates.conf

Step 3: Search for the entry for the expired certificate DST_Root_CA_X3. You should be on a line similar to mozilla/DST_Root_CA_X3.crt. Comment this by adding a !. Save the file and exit.

!mozilla/DST_Root_CA_X3.crt

Step 4: Now run the update-ca-certificates command. This will read the configuration file and generate one ca-certificates.cert file.

sudo update-ca-certificates

Confirm

As always we should confirm that the update worked. You can do a curl request to a domain that caused the error or just about any LetsEncrypt SSL site.

curl https://www.jdeen.com

If you see the source code of the page, you are good to go!

Important

Given you are reading this article, the chances are you are administering an Ubuntu 12.04 server. Ubuntu 12.04 has long passed its support window. Managing such a server is only going to get worst over time.