Skip to main content

[CPANEL-33077] Letsencrypt transition to ISRG’s Root (Important!!!!!)

Comments

203 comments

  • Kent Brockman
    For those who /scripts/autorepair update_lets_encrypt_cabundles2 command didn't fix the issues, you can try this which fixed all in our case: find /var/cpanel/ssl/domain_tls/* -type d -not -perm 755 -exec chmod -v 755 {} \; Taken from here:
    0
  • monarobase
    Be careful about that. As cPRex said that command could potentially change the permissions of the pending_delete directory.
    0
  • sajithgsm
    Today Cloudlinux provided a solution for this.
    0
  • vacancy
    Today Cloudlinux provided a solution for this.
    0
  • DHarry
    I've ran the autofixer and I think I'm confused as to what it's supposed to "fix". Our issue is that our certificate chain looks like this: i:/C=US/O=Let's Encrypt/CN=R3 1 s:/C=US/O=Let's Encrypt/CN=R3 i:/C=US/O=Internet Security Research Group/CN=ISRG Root X1 2 s:/C=US/O=Internet Security Research Group/CN=ISRG Root X1 i:/O=Digital Signature Trust Co./CN=DST Root CA X3
    We're also getting the verification error, "unable to get local issuer certificate". Was the autofixer supposed to resolve this issue? Or, is there something else I need to attempt? Or, is this the exact issue still being researched? Tomorrow is going to be hell for me if I cannot provide any updates.
    0
  • ciao70
    Hello, This morning our site certificate was updated and the cross signature with DST Root is gone. Now all devices older than Android 7.1.1 get error Did it happen to anyone else too? I am really confused with all these problems
    0
  • MindServer
    Hello, This morning our site certificate was updated and the cross signature with DST Root is gone. Now all devices older than Android 7.1.1 get error Did it happen to anyone else too? I am really confused with all these problems

    Yes, I have the same problem, old Android versions cannot load the websites with SSL. Have a nice day.
    0
  • ciao70
    Yes, I have the same problem, old Android versions cannot load the websites with SSL. Have a nice day.

    We fixed it by manually re-entering the third DST Root chain and disabled autossl for the time being I had to download the cross signed ca cert and manually add it to combined cert used by apache
    0
  • net@work
    We fixed it by manually re-entering the third DST Root chain and disabled autossl for the time being I had to download the cross signed ca cert and manually add it to combined cert used by apache

    Hello, As I have the same issue with older devices than Android 7.1.1 get error is possible to describe how we can manage to solve this? As most of us will have the exact same problem. If we reinstall the certificate after cPanel plugin updated (2 days before - cpanel-letsencrypt-v2-1.02-1.2.1) will correct this problem or we must do something else? The LetsEncrypt says:
    0
  • monarobase
    The extending is done by including the expired certificate because older android don"t verify if a root certificate is expired, but that expired certificate causes issues with other devices, some security solutions block it and cPanel detected the certs as faulty. We had random issues for different customers running up to date software when that root chain was included. For old android devices I believe that setting e-mail to "TLS accept all certificates" and installing Firefox should resolve the problem for most users. These users will have issues with lots of websites as lots of people will decide to not include the expired root certificate due to compatibility issues with other devices.
    0
  • net@work
    Hello.
    The extending is done by including the expired certificate because older android don"t verify if a root certificate is expired, but that expired certificate causes issues with other devices, some security solutions block it and cPanel detected the certs as faulty.

    Thank you for that kind of view on this particular problem.
    These users will have issues with lots of websites as lots of people will decide to not include the expired root certificate due to compatibility issues with other devices.

    That's correct I believe. You know if we change to autossl cpanel powered by sectigo old devices like android before 7.1.1 will be ok as before or we have problems also? Because
    0
  • ciao70
    The extending is done by including the expired certificate because older android don"t verify if a root certificate is expired, but that expired certificate causes issues with other devices, some security solutions block it and cPanel detected the certs as faulty. We had random issues for different customers running up to date software when that root chain was included. For old android devices I believe that setting e-mail to "TLS accept all certificates" and installing Firefox should resolve the problem for most users. These users will have issues with lots of websites as lots of people will decide to not include the expired root certificate due to compatibility issues with other devices.

    Hello, What would be the devices that have problems? Cpanel doesn't seem to me to have communicated that it would remove DST Root. As I wrote previously, we re-entered DST Root and disabled Autossl. I expect some press release from Cpanel to explain the situation Thanks
    0
  • ciao70
    [QUOTE="net@work, post: 2878501, member: 813191"> Hello, As I have the same issue with older devices than Android 7.1.1 get error is possible to describe how we can manage to solve this? As most of us will have the exact same problem. If we reinstall the certificate after cPanel plugin updated (2 days before - cpanel-letsencrypt-v2-1.02-1.2.1) will correct this problem or we must do something else? The LetsEncrypt says:
    0
  • jorbox
    Hello, Honestly, I don't know at all, we put the DST Root certificate back manually. Let's see what Cpanel says about it.

    can you tell us how ?
    0
  • net@work
    Hello, Honestly, I don't know at all, we put the DST Root certificate back manually. Let's see what Cpanel says about it.

    First of all thank you for your answer. Can you tell us how you put DST Root certificate manually and if you face any error with dovecot/exim? Is from this list?
    0
  • jorbox
    I think chrome & outlook should include there own list like Firefox do, one of my client same very angry because he uses an old android phone I told him to install firefox and the website worked, I told him also that chrome will release an update for this soon,,
    0
  • ciao70
    [QUOTE="net@work, post: 2878553, member: 813191"> First of all thank you for your answer. Can you tell us how you put DST Root certificate manually and if you face any error with dovecot/exim?
    DST Root only for apache What I wanted to know from Cpanel is why on Apache we ended up with Certificates provided 2 instead of 3? DST Root CA X3 was gone ?
    Certificates provided 3 (4032 bytes)
    Chain issues None
    #2
    Subject R3
    Valid until Mon, 15 Sep 2025 16:00:00 UTC (expires in 3 years and 11 months)
    Key RSA 2048 bits (e 65537)
    Issuer ISRG Root X1
    Signature algorithm SHA256withRSA
    #3
    Subject ISRG Root X1
    Valid until Mon, 30 Sep 2024 18:14:03 UTC (expires in 2 years and 11 months)
    Key RSA 4096 bits (e 65537)
    Issuer DST Root CA X3
    Signature algorithm SHA256withRSA
    Now all devices even those older than Android 7.1.1 are able to connect again Sorry for my English
    0
  • cPRex Jurassic Moderator
    I'm not sure about the cert2 vs 3 issue being mentioned. I didn't see a lot of updates over the weekend, but at this time we're still looking into the root cause of why some users encountered permission problems in the /var/cpanel/ssl/domain_tls/ directory. Once I hear more about that, I'll be sure to post. As far as an "announcement" I believe the current plan is to update or create a support article once this is all said and done.
    0
  • dandadude
    In case this might help anyone: - I have ran the permission fix 2 days ago but problems have arisen with some domains since then (regarding the common name again of course) - I ran the permission fix now again and all is well (probably they had new certs generated since then, didn't check) - I have put the permission fix in my cron.hourly, just in case (until we have a real solution from cPanel)
    0
  • cPRex Jurassic Moderator
    Here's an article specifically for the permissions issue:
    0
  • ciao70
    Here's an article specifically for the permissions issue:
    0
  • cPRex Jurassic Moderator
    @ciao70 - that's correct. Articles that are linked to cases allow the end-user to "follow" the case for updates, which requires a login.
    0
  • cPRex Jurassic Moderator
    Update - we *potentially* have a cause and a fix for the odd permissions in /var/cpanel/ssl/domain_tls. I can't say more just yet (well, really I don't want to accidentally lie or spread false hope if it turns out to not be true...) but I'm hoping we'll have something official in place soon.
    0
  • dolphyn
    Here's what I think @ciao70 is suggesting, as a solution to the Android problem, and I think it has worked for me to allow websites to be viewed. (This doesn't address any email or SNI issues such as ERR_CERT_COMMON_NAME_INVALID.) Simply append the cross-signed ISRG Root X1 certificate (available https://letsencrypt.org/certs/isrg-root-x1-cross-signed.pem # Append to each "combined" file (that doesn't already include the cross-signed certificate) for file in /var/cpanel/ssl/apache_tls/*/combined; do if [ ! -z $(grep "CCBEigAwIBAgIQQAF3ITfU6UK47naqPGQK" $file) ]; then echo "FOUND in $file" else echo "" >> $file cat ~/isrg-root-x1-cross-signed.pem >> $file fi done # Graceful Restart Apache apachectl -k graceful
    0
  • Duplika
    Is there any news regarding the SSL and Android issue? Many clients upset, pity cPanel didn't plan ahead on this.
    0
  • cPRex Jurassic Moderator
    Here is what I know at this point: -CPANEL-38838 has been created with a possible fix for the permissions problems we've seen with the /var/cpanel/ssl/domain_tls directory -once that fix is official, we'll backport it to v98 and v94. -we have an additional case as well that will help with the OpenSSL logic to verify what chains are trusted and what is not -there is also a Let's Encrypt plugin update that will happen at some point soon Once all of that happens, we do expect that to help with the Android issues some users have been seeing and to resolve the issues in general. I'll be sure to post updates as I get them.
    0
  • sparek-3
    After looking into this, this is what I've been able to find. Someone feel free to correct me if I'm wrong any where in this. There are two certificates issued by DST Root CA X3 and I don't know if cPanel is aware of this or really what they have done in regards to this. There is (was) a DST Root CA X3 certificate: [font="courier new"]Issuer: DST Root CA X3 Server Name: R3 Expires: September 29, 2021 and there's also a: [font="courier new"]Issuer: DST Root CA X3 Server Name: ISRG Root X1 Expires: September 30, 2024 The one that expires on September 30, 2024 is the same one that @dolphyn (post [url=https://forums.cpanel.net/threads/cpanel-33077-letsencrypt-transition-to-isrgs-root-important.673981/post-2879289]#175) is referencing from [plain]https://letsencrypt.org/certs/isrg-root-x1-cross-signed.pem[/plain] I don't think cPanel realizes that these are two different certificates. They've just decided that all DST Root CA X3 certificates are bad. If you don't want to read any further, that's my best guess as to what happened with cPanel's "fix". There's also a third certificate: [font="courier new"]Issuer: ISRG Root X1 Server Name: R3 Expires: September 15, 2025 This is the primary, and proper CA Bundle that should be used with Let's Encrypt certificates for modern systems. This is detailed at:
    0
  • cPRex Jurassic Moderator
    I'm going to be posting a detailed summary soon
    0
  • cPRex Jurassic Moderator
    Here's a link to the summary of the Let's Encrypt events:
    0
  • sparek-3
    I guess the part I'm confused about is -Domain TLS, which includes the email services on the machine, failed, as that service does not allow the installation of invalid certificates. This caused users to receive an SSL error when connecting to the mail server as they would have been presented with the hostname SSL instead of the domain SSL. What certificate in the chain was considered invalid? And what determines validity? When issuing a Let's Encrypt certificate, the certificate for the domain is valid - yes? ISRG Root X1 (expires September 15, 2025) is valid - yes? DST Root CA X3 (expires September 30, 2024) is valid - yes? So why isn't that being installed?
    0

Please sign in to leave a comment.