How can I fix cron letsencrypt certbot renew on Ubuntu (SSL3_GET_SERVER_CERTIFICATE, certificate verify failed)?

Question

I have an nginx webserver running with letsencrypt certificates, updated through certbot renew. All on Ubuntu 14.04. Since 1st Oct 2021 I keep getting emails from cron that the certificates could not be renewed:

Attempting to renew cert (joov.de) from /etc/letsencrypt/renewal/joov.de.conf produced an unexpected error: ("bad handshake: Error([('SSL routines', 'SSL3_GET_SERVER_CERTIFICATE', 'certificate verify failed')],)",). Skipping.
All renewal attempts failed. The following certs could not be renewed:
 /etc/letsencrypt/live/joov.de/fullchain.pem (failure)
1 renew failure(s), 0 parse failure(s)

how can I fix this without manually upgrading half of my system?

Answer 1

The problem is that the root certificate DST_Root_CA_X3.crt expired end of September 2021.

The solution is to disable this certificate. This worked for me on Ubuntu 14.04:

sudo apt-get update
sudo apt-get upgrade
sed -i 's/\(.*DST_Root_CA_X3.crt\)/!\1/' /etc/ca-certificates.conf
update-ca-certificates
certbot renew

This question/answer contains the hint in a comment (the actual answer does not work):

https://stackoverflow.com/questions/69420612/how-can-i-update-my-root-certificates-in-an-ubuntu-14-04-dockerfile