If you are using BBB installed on Ubuntu 16 , sure you will face an issue in presentation sharing while sharing a file or even start screen sharing as Let’s Encrypt DST Root X3 CA has expired a couple of days ago and the issue has raised after this incident , and sure most of us is using Let’s Encrypt certificate with BBB because it’s renews itself without any worries.
The expiry of IdenTrust DST Root CA X3 happened on Sept. 30 , 2021 ; after this, computers, devices, and clients like Web browsers will no longer trust certificates that have been issued by this CA, also many websites experienced issues this week following the expiration of a root certificate provided by Let’s Encrypt.
Note : If you are using another SSL issuer with Nginx , you won’t face any issues.
Making sure
Before proceed you have to make sure that file sharing issue happened due to Encrypt Root X3 CA , so you have to run the following command :
journalctl -u bbb-html5 | grep error
And if you faced a similar error , so you are in the right place
The Fix
Do the following commands to update you current packages to upgrade the ca-certificates package and the OpenSSL to the latest version and other ubuntu packages.
sudo apt update
sudo apt upgrade -y
- Remove DST_Root_CA_X3 certificate
- Open /etc/ca-certificates.conf by the following command :
nano /etc/ca-certificates.conf
- Search for mozilla/DST_Root_CA_X3.crt by CTRL+W
- Put ! before it , It must be : !mozilla/DST_Root_CA_X3.crt
Update the ca-certificates :
sudo update-ca-certificates
Let Node.Js use the system-wide CA certificates.
Edit /usr/share/meteor/bundle/systemd_start.sh add the parameter –use-openssl-ca like the following image :
Restart BBB
bbb-conf --restart
Hope that helps.
Thank you!! This helped me along to find the correct solution. There are some things that I needed to do differently though. First, you should NOT disable X1, because that is the current working root CA for letsencrypt. Moreover you need a higher version of openssl than is available by default on ubuntu 16.04. (see https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/) I used the instructions here: https://dev.to/tandavala/how-to-install-openssl-from-source-code-on-ubuntu-16-04-j5j . After performing these steps and restarting bbb, presentations are working again!
Hello Henk,
You’ re welcome , actually It was a mistake to deactivate ISRG_Root_X1 , I just edited the blog post.
Thanks for sharing a hint about OpenSSL version in Ubuntu 16 , sure we have to update it.
Thanks for you help.
Unfortunately I have another error now:
Istead of certificate has expired the error ist now:
No file found. Error: unable to get local issuer certificate
Any idea
Ueli
Ok. Found out myself. I reactivated ISRG_Root_X1.pem in /etc/ca-certificates.conf
and now it works…
Yes, It was a mistake to deactivate ISRG_Root_X1 , I just edited the blog post.
thank you saved my day !!!!
You’re welcome 🙂
Removing mozilla/ISRG_Root_X1.crt was not a good idea, but deactivating mozilla/DST_Root_CA_X3.crt alone did the job.
Yes, It was a mistake to deactivate ISRG_Root_X1 , I just edited the blog post.
you should not desactivate !mozilla/ISRG_Root_X1.crt
I think it is better to do bbb-conf –setip instead of bbb-conf –restart
Hello Rapheal,
Yes, It was a mistake to deactivate ISRG_Root_X1 , I just edited the blog post.
Why you think bbb-conf –setip is better ?
Its not working for me
May you give me your current OS release, OpenSSL version and output of that command journalctl -u bbb-html5 | grep error
Great Thank You!!!
You saved my day!! It did the job for me exactly as you described. THANK YOU!!