Cannot get "ISRG Root X1" chain certificates

william0419 · November 23, 2021, 1:18pm

I tried to generate a "ISRG Root X1" certificate chain using command:

certbot certonly --manual --config-dir ./etc --logs-dir ./log --work-dir ./ --csr prime256v1.csr --preferred-chain 'ISRG Root X1' -d '*.ttc.icu' -m '1286196668@qq.com' --agree-tos --no-eff-email

since "DST Root CA X3" has already been expired and safari will show the following certificate expiration error:

So, how can I create a 'ISRG Root X1' chain certificate and why the R3 is also expired according to safari? If it is expired, why it's keeping signing new certificates?

webprofusion · November 23, 2021, 1:25pm

Check that your website configuration is using fullchain.pem not chain.pem otherwise the client operating system will try to resolve the R3 > ISRG Root X1 etc itself and in many case (macOS etc) that will fail.

william0419 · November 23, 2021, 2:16pm

Thank you! So, is there any case when we should only cert.pem instead of full chain?

rg305 · November 23, 2021, 2:55pm

Only in some old systems, where they require the cert to be provided in three parts:
cert.pem
chain.pem
privkey.pem

fullchain.pem = cert.pem + chain.pem

system · December 23, 2021, 2:56pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
ISRG Root X1 in chain.pem? Server	6	1564	December 10, 2018
Certbot has been configured to prefer certificate chains with issuer 'ISRG Root X1', but no chain from the CA matched this issuer. Using the default certificate chain instead Help	21	4234	February 8, 2022
With '--preferred-chain "ISRG Root X1"' fullchain.pem doesn't contain the ISRG Root X1 certificate Help	7	3466	November 14, 2021
Windows: invalid cert when fullchain.pem ISRG Root X1 is cross-signed by expired DST Root CA X3? Help	10	2296	June 4, 2022
Letsencrypt renews certificates incorrectly Help	5	725	March 5, 2022

Cannot get "ISRG Root X1" chain certificates

Related topics