All SSL cert are saying root R3 cert has expired

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. |, so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

All of my server are saying the root cert r3 has expired yet the cert are fine. I note that you've updated this, but when I update my local cert its still keeping the same root cert from lets. Do I have to completely reinstall or is there a command or script that you've made to update the root certs.

At the moment I can not longer get an up date for my sites & which are mail servers

Very appreciate your help



1 Like

I have the same issue, only at Apple iPhone devices.

Same here.

My certificates are showing as expiring in Nov (last renewal worked), and if I access the website via Firefox on Mac OS is shows the correct certificate.

However, accessing my mail server on the same domain I get an "untrusted" message.

That message (same on iOS) is showing the certificate as having expired 29/09/2021 20:21:40 GMT+1 (BST).

Is this to do with this:? Certificate Compatibility - Let's Encrypt


"root certificate used by Let’s Encrypt to sign client certificates will lose its validity on this day (expiry of Intermediate R3 on 2021/09/29 at 19:21:40 GMT – the DST Root CA X3 expires on 2021/09/30 14:01:15 GMT)"


Which operating system and mail server product are you using?

If you have a certificate configuration file and you are using certificate files as pem format, is it pointing to the fullchain.pem file? If you just server your leaf certificate without the full chain then the clients will resolve the R3 themselves and they may only know the expired one.

If you are on Windows Server, reboot.


same here. Windows /Android is using the certificate with the new authority.
Only iPhones uses the old chain and refuse the server certificate.

Does someone know how to trust the old one or how to force the phone to use the new one?
(Restart is already done :slight_smile: )

Thanks in advance

Solution is described here:

iPhones do it right, when you are using the whole Certificate Chain on your mail server and not just the web server certificate.


Thanks, i use Pfsense (with Lets Encrypt and HAproxy module).
After deleting the expired R3 certificate, new requests are valid on the new root CA.

1 Like

debian 10

What is the solution? Half of the internet is not working for me now on Windows 10 Chromium.

Does work for you? If not, your system might not trust ISRG Root X1 (which it should, if Windows updates are enabled).

This post could also help:

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.