Various workarounds related to Let's Encrypt DST Root CA X3 expiry : support

Various workarounds related to Let's Encrypt DST Root CA X3 expiry Print

Modified on: Fri, 8 Oct, 2021 at 10:56 AM

Android Notakey Authenticator application

Solution on client side:

On the Android you can manually disable the certificate "Digital Signature Trust Co. - DST Root CA X3".

Go to "Settings > Security > Encryption & credentials" > Trusted credentials"

Scroll down and disable "Digital Signature Trust Co. - DST Root CA X3"

https://github.com/xamarin/xamarin-android/issues/6351#issuecomment-932051312

Solution on server side:

Latest updates include fix for chain issues. First install all latest updates with "ntk sys update" as usual. You will have to run this command multiple times to update all components. To acquire a fresh certificate, run "ntk rp resettls" followed by "ntk rp restart" and wait until certificate is provisioned by checking your service URL (https://mfa.example.com/api/health).

RADIUS Auth Proxy

If using auth-proxy service for remote API that is using Let's Encrypt and logs are showing "Error: TrustFailure", update to latest version with command "ntk sys update". Ensure that you have applied solution on API server side too, as the default chain provided by builtin rp service is not valid.

Other notes

A handy tool to diagnose certificate issues is https://www.ssllabs.com/ssltest/.

Did you find it helpful? Yes No

How can we help you today?