Root cause

Old Let's Encrypt CA certificates became invalid on 30.09.2021:

All TDS certificates are already signed by new Let's Encrypt authority for 6 months approximately. Thanks to cross signing it worked until expiry 30.09.2021.

Therefore you have to make sure that all your tools trust that new CA certificates which were created in 2015 but still is not distributed everywhere.


Issues are usually caused by outdated tools installed or Let's Encrypt certificate missing in trusted CA stores.


Importing CA certificate into Windows certificates store

  1. Open your favourite Browser
  2. Download new Lets's Encrypt ISRG root certificate
  3. Double click on downloaded CA certificates and follow import wizard. It can look like this:

Updating particular tools that might use own certificates store


Following resolutions help to make CA certs trusted for curl, wget and other system tools, also updates openjdk cacerts store.

Remember to restart Java based applications to take new certificates in use.

Importing CA certificate into Ubuntu certificates store

apt-get install ca-certificates ca-certificates-java -y
wget -O /usr/local/share/ca-certificates/isrgrootx1.crt
update-ca-certificates --fresh

Importing CA certificate into CentOS certificates store

yum install ca-certificates
wget -O /etc/pki/ca-trust/source/anchors/isrgrootx1.crt
update-ca-trust enable
update-ca-trust extract

Related articles