Trust issue while sending a post to my API since DST Root CA X3 Expiration

Question

I have a C# api running on a aws S3 with ubuntu. This API is use by a website, a windows application and a xamarin app deployed on Samsung android devices.

Since today 16:00 (paris time), the android part is not working anymore, I have a "trust issue". Clearly it seems to be related with DST Root CA X3 Expiration (No release on my side and the timing is perfect).

But I don't understand why...

1. SSL certificate

I checked my SSL certificate and regarding let'sencrypt forums, I have one of the path base on "ISRG Root X1". The second one is base on "DST Root CA X3" (expired). I renew them anyway to be sure, but still the same certificate path. (and no problem for chrome to contact them).

2. Internet with https is working

I can reach internet with a webview inside the app (to my website in https)

3. Can't connect using restsharp

When I use RestSharp to contact my server, I have the trust issue.

My android devices are all the same: Samsung A7 tab, half up to date, the other half was update in august, all of them with Android 11. So theorically they are "not concerned" with this certificate expiration.

Can the problem come from Xamarin or RestSharp ? Maybe my server certificate ?

EDIT Ok half resolved.... If I go to the "Trusted Root Certificates folder" in my android device (don't know the exact name), If I disable the "Digital Signature Trust Co. - DST Root CA X3", it's working again !

Not a "real solution" since I need to update something like 150 devices... 2 options in my mind

• Can I force RestSharp to use a certificate more than another ?
• Is it just because Android know the expiration date is 30/09 and still use it because we are still the 30/09 and everythin will work Tomorow ?

EDIT 2 resolved.

Thx to all of you, sorry I should have been able to validate this answer before some post, but stackoverflow was on readonly mode this night and I fall asleep after that.

What I did (not sure if all step are mandatory).

1/ I updated the certbot since mine was < 1 (check with certbot --version)

sudo apt-get remove -y certbot python3-certbot-apache
sudo snap install certbot --classic
sudo ln -s /snap/bin/certbot /usr/bin/certbot

Procedure from @dmaehler from Letsencrypt forum

2/ As @hamzaElHanna and @ThatCoderGuy said, I updated the certificates

update-ca-certificates

3/ I made a cert-sync to synchronise Ubuntu and Mono certificates (if it's working as i undertand it)

4/ I renew my SSL certificate to remove the CA X3 since it's no longer in my server certificates

sudo certbot renew --force-renewal --preferred-chain "ISRG Root X1"

As proposed by @dmaehler and @jsoetewey

SSlabs to check, the path with the old certifcate is removed and RestSharp work as previously.

Thx for the help everything were usefull !

Answer 1

If you are using certbot:

certbot renew --preferred-chain "ISRG Root X1" --force-renewal

Answer 2

We faced the similar problem, we fixed it by adding ! before mozilla/DST_Root_CA_X3.crt in the /etc/ca-certificates.conf file , it's for disabling the DST Root CA X3:

!mozilla/DST_Root_CA_X3.crt

After that, you need to update ca-certificates:

$ update-ca-certificates

Answer 3

We’ve had similar issues today, unfortunately we were using older Amazon Linux on elasticbeanstalks. Upgrading to the latest Ubuntu build in your case should fix your issues.

The issue we had was the Amazon Linux version trusted certificate service was always adding the expired root certificate.

The reason restsharp is having problems is probably because it’s trying to do something like a curl request behind the scenes and is doing a handshake to verify the validity of the ssl cert when sending a request. The way it does this is checks it against certs that are trusted on the server, which includes the expired certificate.

See here for Ubuntu builds that have the latest certs upgrade https://ubuntu.com/security/notices/USN-5089-1