Hello, since September with expired certificates of let enscrypt, some of our customers on mac os cannot connect to our application. This problem only occurs on mac OS, on Windows the root certificat automatically changes from DST Root CA X3 to ISRG root the new one. I have seen the same problems on the Internet but all advise to manually install the certificate and we cannot do something like this for all our customers. I also notice that the problem only concerns the old mac under version 10.12 , but we tested on several mac with the latest version and it’s totally random, on some of them it works and not on others. Same on iphone. Is there a solution to this problem?
My domain is: https://prod.pm-sa.fr
thank you for your help !
Welcome to the community @27lab
The problem is your server is only sending your "leaf" certificate. It should send all the "intermediates" too. Without the intermediates a browser will guess at what should be and some will get it right and others will not.
I see from your http response headers you are using nginx 1.14. You did not say what ACME client you used but if certbot it looks like you are using "cert.pem" where you should be using "fullchain.pem" (with the appropriate path to the file).
Post back the lines of your nginx conf for the cert definitions if you want further guidance
Update: This site will show the cert chain you are sending: https://decoder.link/sslchecker/prod.pm-sa.fr/443
Thank you for your answer, we solved the problem thanks to you. We use a modsecurity WAF (web application firewall) and we have added as you say the root and intermediate certificates to our WAF and it works now.
For people with the same situation with Modsecurity WAF there the step you need to follow:
Im using Debian 10.9
Wget on your Modsecurity WAF the let’s encrypt certificate at this address Chain of Trust - Let's Encrypt
Than you’ll need to concatenate your three certificates. In first your application certificate , the intermediate and the root certificate from Let’s encrypt.
cat your-application.crt intermediate.crt root.crt > your-application.crt
than edit the concatenate file
you will see a line with the end certificate and the begin certificate at the same line like this:
-----END CERTIFICATE----------BEGIN CERTIFICATE-----
So you have to go back to the line like this::
Quit and save then restart nginx it will now work perfectly!
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.