Why am I receiving a certificate expiration error for the Let's Encrypt certificate on my EC2 instance?

Last updated: 2021-10-01

I'm unable to connect to a remote URL from my Amazon Elastic Compute Cloud (Amazon EC2) instance that has a Let's Encrypt certificate. Or, I'm receiving an error that my Let's Encrypt certificate expired. How do I fix this?

Short description

Some EC2 instances are experiencing expired certificate errors due to an expired Let's Encrypt cross-signed DST Root CA X3. Instances running the following operating systems might not be able to connect to servers using Let's Encrypt certificates. These operating systems might also not be able to access the Let's Encrypt endpoints to issue or renew certificates after September 30, 2021:

  • CentOS and RHEL 7 or lower
  • Amazon Linux and Amazon Linux 2
  • Ubuntu 16.04 or lower
  • Debian 8 or lower

For compatibility purposes, Let's Encrypt certificates default to using a certificate chain that's cross-signed by the DST Root CA X3 certificate that expired on Sept 30th, 2021.

With OpenSSL 1.0.2, the untrusted chain is always preferred. This means that the expired certificate is seen and the entire chain is distrusted as expired. Servers with the affected version of OpenSSL and the DST Root CA X3 certificate in their root store can't issue or renew Let's Encrypt certificates. Impacted servers also can't access servers that are using them.

Resolution

This issue is corrected in Ubuntu 16.04 with a recent release of the OpenSSL package. Amazon Linux and Red Hat have also released new ca-certificates packages that denies the expiring certificate.

Package updates

Ubuntu 16.04: Update OpenSSL to version 1.0.2g-1ubuntu4.20 or newer.

Amazon Linux and Amazon Linux 2: Amazon Linux instances can be relaunched to apply the updated ca-certificates package automatically. Should existing instances need to be updated, customers can update ca-certificates by running the following:

sudo yum update ca-certificates

Note: For customers using an AMI with a locked repository GUID, like Elastic Beanstalk, you can install updated ca-certificates package using following commands:

Amazon Linux 1

sudo yum install https://cdn.amazonlinux.com/patch/ca-certificates-update-2021-09-30/ca-certificates-2018.2.22-65.1.24.amzn1.noarch.rpm

Amazon Linux 2

sudo yum install https://cdn.amazonlinux.com/patch/ca-certificates-update-2021-09-30/ca-certificates-2021.2.50-72.amzn2.0.1.noarch.rpm

Red Hat and CentOS 7: Update ca-certificates package to 2021.2.50-72.el7_9 or later.

Note: Ubuntu versions less than 16.04 are end of life. Manual intervention might be possible, but isn't supported.

Manual remediation for Amazon Linux-based systems

We recommend updating existing instances using the yum command above. If for some reason you prefer to modify the system in place, use the following commands instead:

Amazon Linux 1

sudo sed -i'' '/Alias: DST Root CA X3/,/No Rejected Uses./d' /usr/share/pki/ca-trust-source/ca-bundle.trust.crt
sudo update-ca-trust

Amazon Linux 2

sudo sed -i'' '/DST Root CA X3/,/\[p11-kit-object-v1\]/d' /usr/share/pki/ca-trust-source/ca-bundle.trust.p11-kit 
sudo update-ca-trust

Manual remediation for Red Hat-based systems

1.    Back up the existing root store:

cp -i /etc/pki/tls/certs/ca-bundle.crt ~/ca-bundle.crt-backup

2.    Add the certificate to the deny list directory:

trust dump --filter "pkcs11:id=%c4%a7%b1%a4%7b%2c%71%fa%db%e1%4b%90%75%ff%c4%15%60%85%89%10" | openssl x509 | sudo tee /etc/pki/ca-trust/source/blacklist/DST-Root-CA-X3.pem

3.    Update the root store:

sudo update-ca-trust extract

4.    Verify the certificates removal:

diff ~/ca-bundle.crt-backup /etc/pki/tls/certs/ca-bundle.crt

Did this article help?


Do you need billing or technical support?