Lets Encrypt Root Issue [Resolved]

Discussion in 'LiquidFiles General' started by B-C, Oct 15, 2021.

  1. B-C

    B-C New Member

    Joined:
    Jan 3, 2018
    Messages:
    17
    Likes Received:
    1
    https://wpencryption.com/r3-root-expired-not-trusted/

    seeing this now...
    active valid cert and not expired ...
    yet not trusted ..

    How do we go about updating the intermidiate... / removing the cert completely....???
    can do self signed and then use CF to secure that... but this is no go...
    HSTS would prefer to remove that... but don't see the setting to remove that..
     
  2. B-C

    B-C New Member

    Joined:
    Jan 3, 2018
    Messages:
    17
    Likes Received:
    1
    Non issue - appears to have been my issue.. vs LF issue..
    still odd...
    fix for me...
    Remove LE Cert > by changing to self signed cert..
    odd because normal LE behaviour checks 80 then 443 if no 80 response...
    verify and fix inbound rules (was using only https had blocked http)
    re-enabled inbound http rules > verified http good -
    Changed from forced HTTPS (bad setting if LE needs inbound 80 apparently with LF script - ok by me) > both http * https (disabled hsts)
    ---
    due to using CloudFlare - had to also disable https rewrites and make sure inbound 80 was clean... removed the proxy temporarily as well.
    now able to get inbound without https and working

    Then - Changed Cert back to LE..
    got out and got new cert ... without any issue.

    Back into CloudFlare and re-enable Proxy & SSL (https) rewrites for all my inbounds

    Firewall still will allow inbound 80 - which I'm going to also disable until its needed..
    but this will server as it being ":My Fault"

    Now I'll go sit in a corner and complain about why we don't have a DNS Challenge option!!!!
    ;p
     
  3. David

    David Administrator
    Staff Member

    Joined:
    Dec 1, 2015
    Messages:
    795
    Likes Received:
    31
    The older LF server versions <3.5.13 or LF servers which do not have enabled the system updates, do not have updated the ca-certificates package which removes the recently expired DST Root CA X3 certificate.
    This causes the installed Let's encrypt certificate on LF servers is not considered as trusted.
    To fix that you need to update to >=v3.5.13 first. Then Re-validate the LE certificate in "Admin > System > Certificate" settings.
     
  4. B-C

    B-C New Member

    Joined:
    Jan 3, 2018
    Messages:
    17
    Likes Received:
    1
    Yup...

    Support also noted there was an issue with the AutoUpdater..
    I hadn't checked the update - just that I got my daily email report that it was alive..

    Since the updater was busted - the server wasn't updating..

    So updated it and also set the newer settings to update LF + Server Security - good option there added.

    However now that I'm all updated - a few more issues now have cropped up..
    SSL good - sort of..

    for years I've never allowed inbound http at the firewall and rewrite http to https via Cloudflare...
    all my certs renew because default LE behavior is try http then second go to https and it just works... but probably does require a valid cert..
    so initial run - must have http open I guess...

    I opened then closed it back down - so we'll see how renewals run in Jan now..

    ----

    Upgrade issues with template / customizations.

    finding that customizations are a mess..
    reponsive menu doesn't work in Admin - at least for me... which is probably a cache issue... but tried another browser and had same issue...
    so maybe not..

    also logo provided doesn't get responsive sizing - and overtakes the entire login screen...
    (most likely my fault as well but just noting in case its something that wasn't entirely my doing... - I'll forward that info over to support as well.)
     

Share This Page