Symptoms

SSL connections may fail with the following:

The certificate issuer's certificate has expired. Check your system date and time.

Description

As of September 30th, 2021, the DST Root CA X3 certificate that is used in the chain of trust for Let's Encrypt expires causing clients that do not recognize ISRG Root X1 to fail security checks when accessing sites that use Let's Encrypt for their SSL provider.

The details about this issue can be found in the following post made by Let's Encrypt about this issue.

https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/

Workaround

On servers running CentOS or CloudLinux 7 or higher, this has been addressed with the most recent operating system updates that update the certificates bundles.

rpm -q ca-certificates
ca-certificates-2021.2.50-72.el7_9.noarch

rpm -q ca-certificates --changelog | head
* Tue Sep 14 2021 Bob Relyea <rrelyea@redhat.com> - 2021.2.50-72
- Fix expired certificate.
- Removing:
- # Certificate "DST Root CA X3"

The package can be manually updated if on a version older than 2021.2.50-72 with the following:

yum -y update ca-certificates

For server's running CloudLinux 6, you can update the necessary package by using the following command:

yum update openssl* --enablerepo=cloudlinux-rollout-3-bypass