Certificate deprecation end of september

An announcement was made earlier that changes would occur in september with certificates that would be deprecated and we are down on all three servers is there anything we can do this is
a crisis for us

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: ddvp1.com ddvp1.net ddvp1.org

I ran this command:

It produced this output:

My web server is (include version): iis 6

The operating system my web server runs on is (include version): windows 2008 r2

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

1 Like

Have you tried rebooting? All of your servers appear to be responding to basic TLS requests with the now expired R3 chain. I'm not sure why the full web requests would be timing out though. Do they connect to any back end servers over TLS as well that might be failing?

2008 R2 is way out of support at this point. So there hasn't been a lot of testing on how this expiry would affect it. But the reboot may force IIS to switch to the newer non-expired R3 chain.

If not, you may need to do some checking in the Windows cert stores to make sure the ISRG Root X1 cert is in the Trusted Roots store and possibly some additional tweaking in the Intermediate store.

1 Like

we will reboot

our servers are 2008 R2 and we need certs at this point - if we can't get the lets encrypt cert to work with reboot - do you have any additional suggestions?

1 Like

The cert itself isn't the problem and I'm sure we can make it work. It should just be a matter of getting Windows to build and serve the correct chain.

There are two main things you need to verify if it's not fixed after a reboot.

  • Is the system time on the server correct (including timezone)?
  • Open certlm.msc, expand Trusted Root Certification Authorities - Certificates and make sure there is an entry for ISRG Root X1 that is also issued by ISRG Root X1

If both of those are true and it's still not working, we can dig deeper.


...uncharted territory...

1 Like

If the reboot doesn't fix it, check this post out. Clearing the extra R3 cert from the system user resolved an issue for us just now where IIS was sending an incorrect intermediate.



we do see entry for ISRG Root X1

we have reboot

communications are now working

my concern now is that the cutoff date is september 30 - are we going to see the same thing at midnight tonight?

any advice on what to watch for since these are production servers supporting 100 s of companies?

thanks in advance

1 Like

If your sites are all serving this same chain, then you should be fine:

Certificate chain
 0 s:/CN=community.letsencrypt.org
   i:/C=US/O=Let's Encrypt/CN=R3
 1 s:/C=US/O=Let's Encrypt/CN=R3
   i:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
 2 s:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3

[that is the EXAMPLE to follow]

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.