Old Let's Encrypt CA certificates became invalid on 30.09.2021:
https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/
All TDS certificates are already signed by new Let's Encrypt authority for 6 months approximately. Thanks to cross signing it worked until expiry 30.09.2021.
Therefore you have to make sure that all your tools trust that new CA certificates which were created in 2015 but still is not distributed everywhere.
Issues are usually caused by outdated tools installed or Let's Encrypt certificate missing in trusted CA stores.
if upgrade is not possible, you must manually import new CA certificate https://letsencrypt.org/certs/isrgrootx1.pem into java cacerts
Like in this example assuming C:\Program Files\Java\jdk-11.0.4\ Java path:
C:\Program Files\Java\jdk-11.0.4\bin\keytool -import -trustcacerts -alias certAlias -file isrgrootx1.pem -keystore C:\Program Files\Java\jdk-11.0.4\lib\security\cacerts |
Inspired by: https://docs.oracle.com/javase/tutorial/security/toolfilex/rstep1.html
Following resolutions help to make CA certs trusted for curl, wget and other system tools, also updates openjdk cacerts store.
Remember to restart Java based applications to take new certificates in use. |
apt-get install ca-certificates ca-certificates-java -y wget https://letsencrypt.org/certs/isrgrootx1.pem -O /usr/local/share/ca-certificates/isrgrootx1.crt update-ca-certificates update-ca-certificates --fresh |
yum install ca-certificates wget https://letsencrypt.org/certs/isrgrootx1.pem -O /etc/pki/ca-trust/source/anchors/isrgrootx1.crt update-cacerts |
https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/
https://www.openssl.org/blog/blog/2021/09/13/LetsEncryptRootCertExpire/
|