Let's Encrypt AutoSSL certificates showing error: ERR_CERT_COMMON_NAME_INVALID
Recently most popular free SSL provider Let's Encrypt face an issue. Here is the fix proposed by cPanel.
Symptoms
We are currently facing an issue in which domains that use an SSL certificate from Let's Encrypt are showing the server's hostname as the common name, instead of the actual domain name that is on the certificate. This is causing browser errors and email client errors.
Description
This is related to the recent expiration of the DST Root CA X3 Cert from Let's Encrypt. We believe this to be causing issues with the SNI configuration.
We've opened an internal case for our development team to investigate this further. For reference, the case number is UPS-403 (internal case CPANEL-38820). Follow this article to receive an email notification when a solution is published in the product.
Workaround
cPanel development team has published an autofixer for this issue that can run manually using the following command:
/scripts/autorepair update_lets_encrypt_cabundles2
This command will also run automatically during the servers next /scripts/upcp cronjob
Fix Update:
Symptoms
SSL connections may fail with the following:
The certificate issuer's certificate has expired. Check your system date and time.
Description
As of September 30th, 2021, the DST Root CA X3 certificate that is used in the chain of trust for Let's Encrypt expires causing clients that do not recognize ISRG Root X1 to fail security checks when accessing sites that use Let's Encrypt for their SSL provider.
➤ Check Also: DMCA Ignored Hosting - Limitless Freedom For Content
The details about this issue can be found in the following post made by Let's Encrypt about this issue.
https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/
Workaround
On servers running CentOS or CloudLinux 7 or higher, this has been addressed with the most recent operating system updates that update the certificates bundles.
rpm -q ca-certificates
ca-certificates-2021.2.50-72.el7_9.noarch
rpm -q ca-certificates --changelog | head
* Tue Sep 14 2021 Bob Relyea <rrelyea@redhat.com> - 2021.2.50-72
- Fix expired certificate.
- Removing:
- # Certificate "DST Root CA X3"
The package can be manually updated if on a version older than 2021.2.50-72 with the following:
yum -y update ca-certificates
For server's running CloudLinux 6, you can update the necessary package by using the following command:
yum update openssl* --enablerepo=cloudlinux-rollout-3-bypass
