Cannot get "ISRG Root X1" chain certificates

I tried to generate a "ISRG Root X1" certificate chain using command:

certbot certonly --manual --config-dir ./etc --logs-dir ./log --work-dir ./ --csr prime256v1.csr --preferred-chain 'ISRG Root X1' -d '*.ttc.icu' -m '1286196668@qq.com' --agree-tos --no-eff-email

since "DST Root CA X3" has already been expired and safari will show the following certificate expiration error:

So, how can I create a 'ISRG Root X1' chain certificate and why the R3 is also expired according to safari? If it is expired, why it's keeping signing new certificates?

Check that your website configuration is using fullchain.pem not chain.pem otherwise the client operating system will try to resolve the R3 > ISRG Root X1 etc itself and in many case (macOS etc) that will fail.

6 Likes

Thank you! So, is there any case when we should only cert.pem instead of full chain?

1 Like

Only in some old systems, where they require the cert to be provided in three parts:
cert.pem
chain.pem
privkey.pem

fullchain.pem = cert.pem + chain.pem

2 Likes