Since September 30th this year, the cross-signed root certificate provided by Let's Encrypt may cause the request to appear certificate has expired or certificate expired error, the ChingStor team summed up quite well, thanks and share the solution, the certificate chain will generally be automatically updated, the new system usually does not have this The solution is simply to update the client's system or software.

I. Upgrade the system
Keeping the system in an updated state is the best solution for this kind of problem, but if it is inconvenient to do a complete upgrade, please focus on upgrading openssl, gnutls and ca-certificates.

CentOS / RHEL

yum upgrade openssl gnutls ca-certificates

Ubuntu / Debian

apt upgrade openssl libgnutls30 ca-certificates

This solution is available for the following platforms.

Windows >= XP SP3
macOS >= 10.12.1
iOS >= 10
Android >= 7.1.1
Mozilla Firefox >= 50.0
Ubuntu >= xenial / 16.04
Debian >= jessie / 8
Java 8 >= 8u141
Java 7 >= 7u151
NSS >= 3.26

II. Disabling expired certificates manually
If the system no longer provides updates, or it is inconvenient to update the system, you can manually disable the expired certificate, the specific operation scheme is as follows.

Linux platform

Open and edit the /etc/ca-certificates.conf file, and add a ! (exclamation point, English, half-word) to disable the certificate so that it reads !mozilla/DST_Root_CA_X3.crt. After editing, run the update-ca-certificates command to update the system's certificate chain.

On CentOS 7 and later

you need to execute the following command: cp /etc/pki/ca-trust/extracted/cadir/DST_Root_CA_X3.pem /etc/pki/ca-trust/source/blacklist update-ca-trust

Windows Platform

Use the shortcut Win + r and type certmgr.msc to open the system's certificate manager, search for DST ROOT CA X3 and delete the relevant certificate and reboot.

Java Platform

Execute the following command: sudo keytool -delete -alias dstrootcax3 -cacerts -storepass 'changeit'