Certbot still send expired CA certificate

Certbot still deliver the old expired CA certificate.... This result in Trust failure because Webserver (nginx and apache2) sends all certificates in (full)chain.pem

I have to manual delete the expired CA Cert.

My domain is:
dont matter
I ran this command:
certbot -d DOMAIN --nginx certonly
It produced this output:

My web server is (include version):
nginx version: nginx/1.14.2

The operating system my web server runs on is (include version):
Debian 10.10
My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):
yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
No.

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 0.31.0

i cannot update certbot because debian dont offer any update.(but this should not change any behavior by certbot)

Kind regards

The expired trusted root is the current default path - as seen on this very site.
If you would rather use the shorter/alternate path, you can do so by manually editing the fullchain.pem (or chain.pem) file used and removing the last cert from within it.
This "edit" won't survive the renewal, and thus the need for a newer ACME client that supports the --preferred-chain parameter.
Since certbot can't be upgraded, on your system, beyond version "0.31.0", you may have to opt for another choice.
Like:

  • certbot via snaps
  • certbot via docker
  • another ACME client, like: acme.sh
2 Likes

it would be better lets encrypt just remove this expired CA or change default path... so on first renew all expired CA's should be removed..

imagine you have no access to the server this would be killing lets encrypt... (mostly all browser ignore this, but older browsers and server does not ignore this)

It might be better for you.
But then the problem shifts to ones that don't have one now.
[there is no choice where everyone is better]

3 Likes

yes delivering an expired CA cert is the best solution, especially for beginners
Let's encrypt is so easy that every one can use is. Everything works automatic.

I see many "Expired" or not trusted Topic mhh looks like everything works

when nobody cares... i don't care

1 Like

The decision to serve the long chain (ending in the expired DST Root CA X3) was made, because the team believes that this will help the most users (those surfing to the site on their mobile devices). Other TLS implementations are generally more used by scripts, devops etc - not end users. Browsers in general will have no trouble with either chain, unless the (OS) trust store is out of date - in that case, neither chain works (except for systems that ignore the expiry of DST Root CA X3, e.g. Android).

3 Likes