How do I resolve a certificate expiration error for the Let's Encrypt certificate on my EC2 instance?
Last updated: 2022-02-15
I'm unable to connect to a remote URL from my Amazon Elastic Compute Cloud (Amazon EC2) instance that has a Let's Encrypt certificate. Or, I'm receiving an error that my Let's Encrypt certificate expired. How do I fix this?
Some EC2 instances are experiencing expired certificate errors due to an expired Let's Encrypt cross-signed DST Root CA X3. Instances running the following operating systems might not be able to connect to servers using Let's Encrypt certificates. These operating systems might also not be able to access the Let's Encrypt endpoints to issue or renew certificates after September 30, 2021:
- CentOS and RHEL 7 or lower
- Amazon Linux and Amazon Linux 2
- Ubuntu 16.04 or lower
- Debian 8 or lower
For compatibility purposes, Let's Encrypt certificates default to using a certificate chain that's cross-signed by the DST Root CA X3 certificate that expired on Sept 30th, 2021.
With OpenSSL 1.0.2, the untrusted chain is always preferred. This means that the expired certificate is seen and the entire chain is distrusted as expired. Servers with the affected version of OpenSSL and the DST Root CA X3 certificate in their root store can't issue or renew Let's Encrypt certificates. Impacted servers also can't access servers that are using them.
This issue is corrected in Ubuntu 16.04 with a recent release of the OpenSSL package. Amazon Linux and Red Hat have also released new ca-certificates packages that deny the expiring certificate.
Ubuntu 16.04: Update OpenSSL to version 1.0.2g-1ubuntu4.20 or newer.
Amazon Linux and Amazon Linux 2: Amazon Linux instances can be relaunched to apply the updated ca-certificates package automatically. If existing instances must be updated, you can update ca-certificates by running the following command:
sudo yum update ca-certificates
Note: If you're using an AMI with a locked repository GUID, such as Elastic Beanstalk, then install an updated ca-certificates package using the following commands:
Amazon Linux 1
sudo yum install https://cdn.amazonlinux.com/patch/ca-certificates-update-2021-09-30/ca-certificates-2018.2.22-65.1.24.amzn1.noarch.rpm
Amazon Linux 2
sudo yum install https://cdn.amazonlinux.com/patch/ca-certificates-update-2021-09-30/ca-certificates-2021.2.50-72.amzn2.0.1.noarch.rpm
Red Hat and CentOS 7: Update ca-certificates package to 2021.2.50-72.el7_9 or later.
Note: Ubuntu versions less than 16.04 are end of life. Manual intervention might be possible, but isn't supported.
Manual remediation for Amazon Linux-based systems
It's a best practice to update existing instances using the preceding yum command. To modify the system in place, use the following commands instead:
Amazon Linux 1
sudo sed -i'' '/Alias: DST Root CA X3/,/No Rejected Uses./d' /usr/share/pki/ca-trust-source/ca-bundle.trust.crt sudo update-ca-trust
Amazon Linux 2
sudo sed -i'' '/DST Root CA X3/,/\[p11-kit-object-v1\]/d' /usr/share/pki/ca-trust-source/ca-bundle.trust.p11-kit sudo update-ca-trust
Manual remediation for Red Hat-based systems
1. Back up the existing root store:
cp -i /etc/pki/tls/certs/ca-bundle.crt ~/ca-bundle.crt-backup
2. Add the certificate to the deny list directory:
trust dump --filter "pkcs11:id=%c4%a7%b1%a4%7b%2c%71%fa%db%e1%4b%90%75%ff%c4%15%60%85%89%10" | openssl x509 | sudo tee /etc/pki/ca-trust/source/blacklist/DST-Root-CA-X3.pem
3. Update the root store:
sudo update-ca-trust extract
4. Verify the certificates removal:
diff ~/ca-bundle.crt-backup /etc/pki/tls/certs/ca-bundle.crt