Users of numerous sites and services across the Internet encountered issues starting Thursday due to the expiration of a root certificate provided by Let's Encrypt, one of the largest providers of HTTPS certificates. At around 10 am ET, the IdentTrust DST Root CA X3 certificate expired. While LetsEncrypt replaced this certificate years ago, some systems and software have not replaced the old certificate. If your connections began receiving with "TLS certificate verification failed" errors around this time please follow the steps below for your system.
On or after September 29, 2021, if you are suddenly encountering SSL/TLS connection errors, it is likely that the expiration of the DST Root CA X3 certificate is the cause. Our servers have up-to-date certificate chains, but some client systems are not prepared for this situation. If you are reading this article, your operating system or Usenet client software likely need to be updated or manually fixed.
The bulk of reports of this issue have been from users of either NZBGet or SABnzbd.
NZBGet uses its own file for CA certificate checks, so you will need to manually edit the cacert.pem file yourself or download the latest version according to their official instructions here: https://github.com/nzbget/nzbget/issues/784#issuecomment-931609658 :
For your convenience I've prepared fixed cacert.pem: https://nzbget.net/info/cacert.pem.
Please download it using your web-browser and put it over existing file in nzbget installation:
- On Windows: under C:\Program Files\NZBGet;
- On Mac: /Applications/NZBGet.app/Contents/Resources/tools;
- On Linux if you use installation package from nzbget download page: in nzbget installation directory, the file is near nzbget executable;
- On Linux if you use Docker: inside docker container in nzbget installation directory, the file is near nzbget executable.
When downloading the file please make sure it was saved as cacert.pem, some browsers may change file extension.
After replacing cacert.pem you need to reload nzbget via Settings->System->Reload or just restart the app.
Alternative you can instead disable certificate validation via option CertCheck in Settings -> Security.
For SABnzbd, the issue is most likely with the operating system's CA certificates.
Windows users may be able to resolve the issue by following these steps:
- Open Run and type mmc.exe
- Select <File>, <Add/Remove Snap-In>
- Choose <Certificates>
- Select <My User Account>, and click<OK>
- Expand <Certificates - Current User>
- Expand <Intermediate Certificate Authorities>, and Click <Certificates>
- Find and delete the expired DST Root CA X3 and/or Let's Encrypt R3 certificates.
Linux users should research the proper way to update the operating system's CA information. update-ca-certificates may be all you need. You may find Let's Encrypt's help thread useful.
SABnzbd error strings:
"Certificate not valid. This is most probably a server issue."
NZBGet error strings:
TLS certificate verification failed