The expiring Let’s Encrypt DST Root CA X3 can cause problems on old servers:

root@server:/etc# wget
--2021-09-30 21:34:39--
Resolving (
Connecting to (||:443... connected.
ERROR: The certificate of `' is not trusted.

Fortunately there is an easy workaround to ensure the expired chain is not checked.

According to my understanding the issue on some old systems (like Debian wheezy) comes from the old OpenSSL 1.0.1 version which only tries to validate the expired trust chain.

This can be avoided by removing DST Root CA X3 from the systems ca certificates:

  1. Edit /etc/ca-certificates.conf and put a bang/exclamation mark (!) before mozilla/DST_Root_CA_X3.crt
  2. Run update-ca-certificates

Note: This applies to clients that cannot connect to a server using a Let’s Encrypt  certificate. It is not a solution for a server using a Let’s Encrypt certificate.

(Based on

The expiration is announced here:

There is a help thread with additional informations: