I had to take this conversation out of that (way-too-long) topic.
Can you show a picture of the error?
Is there any detail in there?
Sorry, I was on my phone all last night. I really appreciate your help, so I'll try to include more and better info now!
openssl s_client -connect app.kreditdata.dk:443 -servername app.kreditdata.dk
Certificate chain 0 s:CN = app.kreditdata.dk i:C = US, O = Let's Encrypt, CN = R3 1 s:C = US, O = Let's Encrypt, CN = R3 i:C = US, O = Internet Security Research Group, CN = ISRG Root X1 2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1 i:O = Digital Signature Trust Co., CN = DST Root CA X3
So that could mean my chain still includes the old one, but in my ca-certificates.conf that cert is removed.
Trying in postman I get this, just trying a GET request on app.kreditdata.dk (no specified port):
There is temporary workaround: Settings > General > SSL Certificate verification (disable it)
Postman is built on Electron, which is combination of Chromium (bits of Google Chrome) and NodeJS.
They have acknowledged the issue here:
And there is a fix in the works for the underlying BoringSSL library integration with Electron:
This is quite an interesting issue, given the prevalence of Electron for everything.
Aha - this is great information, thanks a lot!
So we're probably back to this being an issue on my clients end when they try to access our API.
If you aren't serving any older Android devices, you could choose the trust path that ends at the self-signed trusted root "ISRG Root X1".
Another alternative if you need broad client support (especially for old android versions etc) is to switch CA (Zero SSL etc).
The current choice with Let's Encrypt means you can choose between two chains and they both have pros and cons.
My own preference for APIs is to run Cloudflare, which proxies and provides a provisioned cert in front but you also get basic analytics on API calls etc.
I have the same problem! We are running an API within WordPress which connects our products to our licensing system. When I do the following GET request in Postman, I'm getting an cert expired error:
But when I open the URL manually, everything is fine when checking the certificate. The SSL check also shows the correct chain.
When doing a request within WordPress (PHP), I'm also getting this error:
cURL error 60: SSL certificate problem: certificate has expired
Every customer has the problem as well! This has a huge impact on our products and system, and I don't see a fast solution here...
I took @webprofusion's suggestion and popped Cloudflare in front of our endpoint. The certificate they provide does not include the expired cert, and works for us - at least for now
But we don't use Cloudflare on our page and we don't want to use it at all
Alright, then the solution might be to get a new cert that doesn't use the old root in the chain, as far as I understand.
Looks like the only solution for now... Thanks for your confirmation!
When you switch your system to the shorter ISRG Root X1 chain your clients will also need to have ISRG Root X1 in whichever ca bundle curl within PHP uses, you should try it out on test system. An alternative is to switch to a different CA for your certificate.
@Johnny99211, I would try switching the chain from "DST Root CA X3" to the self-signed "ISRG Root X1"
How can I do this within plesk?
@Johnny99211, sorry I've just spent quite a bit of time trying to figure out Plesk - total fail
There should be a way.
I would go on their forum or site and or search the web for info on how to obtain a cert chained from the alternate trust path or how to get a cert form any other FREE CA (that uses ACME client).
If you do find a solution/workaround, please post it back here for others to find/use as well.
I don't have the time for some try outs... I'll trash my LetsEncrypt certs and buy a regular one. Hopefully they are fixed next year
There are also a couple of other FREE CAs - not as good as this one - but FREE.
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.