I took the liberty of opening a new thread specifically for us that are using NGINX. The other two threads are becoming very busy with a myriad of web servers/OS and I think that creating a specific topic for might help navigating specially during an "emergency".
What I could gather from reading a lot of posts is that you must make sure that, in your nginx configuration, you have the ssl_certificate
directive pointing to your /etc/letsencrypt/live/{{domain}}/fullchain.pem
However, we already have that setting in our nginx.
For OTCP stapling, we also have:
ssl_trusted_certificate /etc/letsencrypt/live/{{ domain }}/chain.pem;
I also assured that we have correct dates in our certificates:
sudo openssl x509 -dates -noout -in cert.pem
notBefore=Sep 11 20:57:45 2021 GMT
notAfter=Dec 10 20:57:44 2021 GMT
sudo openssl x509 -dates -noout -in chain.pem
notBefore=Sep 4 00:00:00 2020 GMT
notAfter=Sep 15 16:00:00 2025 GMT
sudo openssl x509 -dates -noout -in fullchain.pem
notBefore=Sep 11 20:57:45 2021 GMT
notAfter=Dec 10 20:57:44 2021 GMT
However, even with these setup, we have users sending screenshots of Chrome NET::ERR_CERT_DATE_INVALID.
We can't reproduce it ourselves, nor in Chrome/Firefox/Safari (mac Os 10.15) nor in iOS 14.
I find it interesting to report that our status monitoring tool, StatusCake, started reporting errors for Invalid HTTPS certificate yesterday; they had just solved it apparently (https://status.statuscake.com/).
Also, yesterday, we had a bunch of errors from incoming Mandrill/Mailchimp API requests to our application, and they were reporting invalid HTTPS certificate as well; problems solved without us doing anything.
This makes me worried if the solution is actually user-dependent and if there's anything we can do about this at all on our end.
UPDATE: I posted below the result of the openssl s_client -connect
which is actually informing of expired certificates.
We do NOT copy certificates from anywhere to anywhere. Certbot generates them in the /etc/letsencrypt/live/domain/ folder, and the nginx configuration points directly there.