Configure certbot to use current Let's Encrypt SSL cert chain on Ubuntu 18.04.6
I did some research recently and have found that others have been reporting an issue with the lets encrypt certificate chain. It is related to the self-signed DSTx3 cert still being in the chain issued by let's encrypt on Ubuntu 18.04.6.
I have fixed the issue on my instance by doing the following, but we will need to review the issue for cert renewal.
1) Remove the APT install of certbotsudo apt remove certbot
2) Install the Snap version of certbot which is newer than the apt reposudo snap install --classic certbot
3) Copy certbot to /usr/binsudo cp /snap/bin/certbot /usr/bin
4) Remove existing let's encrypt certssudo rm -rf /etc/letsencrypt
5) Request a new SSL cert with the correct chain using the ISRG Root X1
instead of the DST Root CA X3
which is defaults tosudo certbot certonly --preferred-chain "ISRG Root X1" -n --agree-tos --register-unsafely-without-email --standalone -d $FQDN
6) Next to remove the older split intermediate certs and split the new intermediate certssudo rm -rf /usr/local/share/ca-certificates/* && sudo cat /etc/letsencrypt/live/$FQDN/chain.pem|sudo awk 'split_after==1{n++;split_after=0} /-----END CERTIFICATE-----/ {split_after=1} {print > "/usr/local/share/ca-certificates/intermediate-cert" n ".crt"}'
7). Next add the intermediate certs into the trusted storesudo update-ca-certificates --fresh
8) Apply the correct owner and permissions to the new SSL cert and privkeysudo chown -R root:sudo /etc/letsencrypt/
andsudo chmod -R 750 /etc/letsencrypt/
9) next restart the zend daemonsudo systemctl restart zend
orzen-cli stop && sleep 4 && zend
As always if you have any questions hit me up below or on Discord.
Have a great day :)