Certificate gets renewed but still shows expired in the site

samraw003 · July 24, 2022, 2:55am

My domain is: apps.optimium.in
I ran this command: sudo certbot -d apps.optimium.in --force-renewal

It produced this output:
Your existing certificate has been successfully renewed, and the new certificate
has been installed.

      The new certificate covers the following domains: https://apps.optimium.in
      - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

      IMPORTANT NOTES:
       - Congratulations! Your certificate and chain have been saved at:
         /etc/letsencrypt/live/apps.optimium.in-0001/fullchain.pem
         Your key file has been saved at:
         /etc/letsencrypt/live/apps.optimium.in-0001/privkey.pem
         Your certificate will expire on 2022-08-08. To obtain a new or
         tweaked version of this certificate in the future, simply run
         certbot again with the "certonly" option. To non-interactively
         renew *all* of your certificates, run "certbot renew"
       - If you like Certbot, please consider supporting our work by:

My web server is (include version): Server version: Apache/2.4.6 (CentOS)

The operating system my web server runs on is (include version):
NAME="CentOS Linux"
VERSION="7 (Core)"
ID="centos"
ID_LIKE="rhel fedora"
VERSION_ID="7"
PRETTY_NAME="CentOS Linux 7 (Core)"
ANSI_COLOR="0;31"

My hosting provider, if applicable, is: NOT APPLICABLE

I can login to a root shell on my machine (yes or no, or I don't know): YES

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): NO

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.11.0

THE ISSUE:
The certificates were working fine on the old servers. Ever since we moved the servers and copied the certificate folder from the old to the new server, we are facing this issue.

I have gone through most of the similar tickets and have tried to copy the "IRSDA_root_cert" to cert.pem etc. But on verifying with the
https://www.ssllabs.com/ssltest/analyze.html?d=apps.optimium.in

shows certificates expired.

issuing the command "certbot certificates" has the following response:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
verifying the signature of the certificate located at /etc/letsencrypt/live/apps.optimium.in-0001/cert.pem has failed. Details:
Traceback (most recent call last):
File "/usr/lib/python2.7/site-packages/certbot/crypto_util.py", line 280, in verify_renewable_cert_sig
cert.signature_hash_algorithm)
File "/usr/lib/python2.7/site-packages/certbot/crypto_util.py", line 308, in verify_signed_payload
verifier.verify()
File "/usr/lib64/python2.7/site-packages/cryptography/hazmat/backends/openssl/rsa.py", line 370, in verify
self._hash_ctx.finalize()
File "/usr/lib64/python2.7/site-packages/cryptography/hazmat/backends/openssl/rsa.py", line 313, in _rsa_sig_verify
raise InvalidSignature
InvalidSignature
Renewal configuration file /etc/letsencrypt/renewal/apps.optimium.in-0001.conf produced an unexpected error: verifying the signature of the certificate located at /etc/letsencrypt/live/apps.optimium.in-0001/cert.pem has failed. Details: . Skipping.

The following renewal configurations were invalid:
/etc/letsencrypt/renewal/apps.optimium.in-0001.conf

Issuing the comment "certbot renew" has the following response:

Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/apps.optimium.in-0001.conf

Revocation status for /etc/letsencrypt/archive/apps.optimium.in-0001/cert1.pem is unknown
Cert not yet due for renewal

The following certificates are not due for renewal yet:
/etc/letsencrypt/live/apps.optimium.in-0001/fullchain.pem expires on 2022-10-01 (skipped)
No renewals were attempted.

Thanks alot for your help.

Sammeer

MikeMcQ · July 24, 2022, 3:06am

Please do not use --force-renewal. It does not bypass problems and can cause you to be come rate limited which is a bigger problem.

You got new certs as recently as Jul 3 but your Apache server is sending out a self-signed cert as shown by SSL Labs. So, your Apache config has a problem.

Would you please show the output of this command?

sudo httpd -t -D DUMP_VHOSTS

(I think httpd is correct for CentOS but use apachectl if that does not work)

MikeMcQ · July 24, 2022, 3:11am

I just saw this. You damaged the Let's Encrypt certs by copying over them. We will look at that after seeing your Apache config. It looks like you have several problems. We will address them one at a time.

rg305 · July 24, 2022, 5:50am

Let's have a look at:
certbot certificates
ls -l /etc/letsencrypt/renewal/

samraw003 · July 24, 2022, 9:52am

Hi Mike,

Following is the ouptut of sudo httpd -t -D DUMP_VHOSTS:

[Sun Jul 24 09:51:19.447753 2022] [so:warn] [pid 2965] AH01574: module proxy_module is already loaded, skipping
[Sun Jul 24 09:51:19.447838 2022] [so:warn] [pid 2965] AH01574: module proxy_http_module is already loaded, skipping
[Sun Jul 24 09:51:19.447850 2022] [so:warn] [pid 2965] AH01574: module rewrite_module is already loaded, skipping
[Sun Jul 24 09:51:19.447866 2022] [so:warn] [pid 2965] AH01574: module ssl_module is already loaded, skipping
VirtualHost configuration:
*:80 apps.optimium.in (/etc/httpd/conf.d/test.conf:1)
*:443 is a NameVirtualHost
default server apps.optimium.in (/etc/httpd/conf.d/ssl.conf:56)
port 443 namevhost apps.optimium.in (/etc/httpd/conf.d/ssl.conf:56)
port 443 namevhost apps.optimium.in (/etc/httpd/conf.d/test.conf:9)

samraw003 · July 24, 2022, 9:54am

Hi,

Following are the outputs:

FOR: certbot certificates

Saving debug log to /var/log/letsencrypt/letsencrypt.log
verifying the signature of the certificate located at /etc/letsencrypt/live/apps.optimium.in-0001/cert.pem has failed. Details:
Traceback (most recent call last):
File "/usr/lib/python2.7/site-packages/certbot/crypto_util.py", line 280, in verify_renewable_cert_sig
cert.signature_hash_algorithm)
File "/usr/lib/python2.7/site-packages/certbot/crypto_util.py", line 308, in verify_signed_payload
verifier.verify()
File "/usr/lib64/python2.7/site-packages/cryptography/hazmat/backends/openssl/rsa.py", line 370, in verify
self._hash_ctx.finalize()
File "/usr/lib64/python2.7/site-packages/cryptography/hazmat/backends/openssl/rsa.py", line 313, in _rsa_sig_verify
raise InvalidSignature
InvalidSignature
Renewal configuration file /etc/letsencrypt/renewal/apps.optimium.in-0001.conf produced an unexpected error: verifying the signature of the certificate located at /etc/letsencrypt/live/apps.optimium.in-0001/cert.pem has failed. Details: . Skipping.

The following renewal configurations were invalid:
/etc/letsencrypt/renewal/apps.optimium.in-0001.conf

FOR : ls -l /etc/letsencrypt/renewal/

-rw-r--r--. 1 root root 599 Jul 3 08:18 apps.optimium.in-0001.conf

Thanks

Osiris · July 24, 2022, 9:57am

You have two configuration files with virtualhosts for the same hostname. Please check those two configuration files/virtualhosts and make sure only one of them is active. Most likely ssl.conf is configured with the incorrect certificate while you want it to be test.conf.

Also:

You've professionally managed to damage the internals of Certbot. Please do not manually make changes inside the /etc/letsencrypt/ directory unless you absolutely know what you're doing.

samraw003 · July 24, 2022, 10:05am

Hi Osiris,

My bad!

You can easily guess I am not much of an admin who understands the technicalities.

Thanks a lot for your help and for pointing out the issue. I believe just renaming the ssl.conf to ssl.conf.old (or something else) will help.

Please guide me on how to recover from the mess I have created in the /etc/letsencrypt directory.

Thanks a ton.

Regards

Sammeer

Osiris · July 24, 2022, 10:23am

Let's start with the output of the following commands:

sudo ls -l /etc/letsencrypt/archive/apps.optimium.in-0001/

and

sudo ls -l /etc/letsencrypt/live/apps.optimium.in-0001/

samraw003 · July 24, 2022, 10:34am

Hi Osiris,

Following are the outputs:

[root@apps httpd]# sudo ls -l /etc/letsencrypt/archive/apps.optimium.in-0001/
total 20
-rw-r--r--. 1 root root 1846 Jul 3 08:18 cert1.pem
-rw-r--r--. 1 root root 1924 Jul 3 09:59 chain1.pem
-rw-r--r--. 1 root root 5596 Jul 3 09:57 fullchain1.pem
-rw-------. 1 root root 1704 Jul 3 08:18 privkey1.pem
[root@apps httpd]#
[root@apps httpd]#
[root@apps httpd]#
[root@apps httpd]#
[root@apps httpd]# sudo ls -l /etc/letsencrypt/live/apps.optimium.in-0001/
total 4
lrwxrwxrwx. 1 root root 45 Jul 3 08:18 cert.pem -> ../../archive/apps.optimium.in-0001/cert1.pem
lrwxrwxrwx. 1 root root 46 Jul 3 08:18 chain.pem -> ../../archive/apps.optimium.in-0001/chain1.pem
lrwxrwxrwx. 1 root root 50 Jul 3 08:18 fullchain.pem -> ../../archive/apps.optimium.in-0001/fullchain1.pem
lrwxrwxrwx. 1 root root 48 Jul 3 08:18 privkey.pem -> ../../archive/apps.optimium.in-0001/privkey1.pem
-rw-r--r--. 1 root root 692 Jul 3 08:18 README

samraw003 · July 24, 2022, 10:39am

Hi Osiris,

I believe thanks to your guidance, I have resolved this issue by removing the Virtualhost entry from ssl.conf. Now am able to acces 443 and even SSL Server Test: apps.optimium.in (Powered by Qualys SSL Labs) is showing it to be OK

However, the key issue of the LEtsencrypt directory being messed up still exists.

Thanks a ton.

Sammeer

Osiris · July 24, 2022, 10:50am

Please show the output of:

sudo openssl x509 -noout -text </etc/letsencrypt/live/apps.optimium.in-0001/cert.pem

samraw003 · July 24, 2022, 10:52am

Certificate:
Data:
Version: 3 (0x2)
Serial Number:
03:2c:4a:fd:e7:87:47:74:6b:52:d1:19:e3:b4:90:42:cd:00
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, O=Let's Encrypt, CN=R3
Validity
Not Before: Jul 3 07:18:51 2022 GMT
Not After : Oct 1 07:18:50 2022 GMT
Subject: CN=apps.optimium.in
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:d4:24:f0:e3:d0:9e:64:9a:1e:ce:8b:b4:e6:11:
5f:da:0c:f4:68:7f:0b:db:32:c3:25:b0:2c:71:63:
88:04:d1:59:0e:7d:9a:aa:95:f7:58:6e:10:e6:9b:
ad:a2:d4:17:53:4d:1d:88:99:fe:31:0f:53:fe:42:
ee:dc:76:cb:78:10:8f:da:f8:97:ea:b2:bc:36:05:
2a:25:44:97:1c:1f:67:d2:67:b0:2a:77:45:75:30:
e3:54:2a:8d:19:bd:b1:c6:ea:10:36:46:8d:31:47:
d5:98:a1:3f:61:86:fa:b6:e2:88:aa:82:71:e5:7f:
74:00:0a:5c:bc:72:9c:92:87:7c:f4:1e:b7:16:5b:
75:c0:1b:cd:2d:d5:b4:68:e5:b5:3f:63:a7:44:e5:
3d:e2:ae:3e:c2:80:87:3e:63:25:1d:9d:6f:e6:77:
85:99:b9:32:4e:99:87:d7:c5:59:53:2d:b1:15:e7:
67:9b:1a:d8:62:7b:06:4e:4a:d5:6d:b5:4f:42:da:
e6:c8:51:04:6c:96:27:76:12:ab:a0:a8:67:ed:f1:
5e:38:91:bc:36:42:18:2e:5d:51:8e:43:fd:d5:c8:
9a:83:2a:cf:ad:6c:59:4c:6b:0e:58:4e:de:67:46:
db:87:7a:c1:9f:28:08:b8:06:c0:e1:a5:9a:21:91:
00:c1
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Subject Key Identifier:
D1:3C:0F:D4:D8:C8:80:C1:D8:96:F1:3B:B5:5B:C5:6B:C3:E4:30:FF
X509v3 Authority Key Identifier:
keyid:14:2E:B3:17:B7:58:56:CB:AE:50:09:40:E6:1F:AF:9D:8B:14:C2:C6

        Authority Information Access:
            OCSP - URI:http://r3.o.lencr.org
            CA Issuers - URI:http://r3.i.lencr.org/

        X509v3 Subject Alternative Name:
            DNS:apps.optimium.in
        X509v3 Certificate Policies:
            Policy: 2.23.140.1.2.1
            Policy: 1.3.6.1.4.1.44947.1.1.1
              CPS: http://cps.letsencrypt.org

        CT Precertificate SCTs:
            Signed Certificate Timestamp:
                Version   : v1(0)
                Log ID    : DF:A5:5E:AB:68:82:4F:1F:6C:AD:EE:B8:5F:4E:3E:5A:
                            EA:CD:A2:12:A4:6A:5E:8E:3B:12:C0:20:44:5C:2A:73
                Timestamp : Jul  3 08:18:52.024 2022 GMT
                Extensions: none
                Signature : ecdsa-with-SHA256
                            30:45:02:20:27:1B:D8:95:67:AD:B0:49:85:5D:70:07:
                            60:DA:4D:76:5A:32:00:33:56:4C:BB:2F:89:A5:0F:AE:
                            8F:57:8C:18:02:21:00:A1:68:D3:78:A4:55:D8:AF:67:
                            49:06:41:65:85:AE:D3:41:20:F8:CF:54:75:0B:AC:3D:
                            27:C0:2F:1C:CF:14:78
            Signed Certificate Timestamp:
                Version   : v1(0)
                Log ID    : 29:79:BE:F0:9E:39:39:21:F0:56:73:9F:63:A5:77:E5:
                            BE:57:7D:9C:60:0A:F8:F9:4D:5D:26:5C:25:5D:C7:84
                Timestamp : Jul  3 08:18:52.028 2022 GMT
                Extensions: none
                Signature : ecdsa-with-SHA256
                            30:45:02:20:58:66:9E:03:31:D7:49:DE:FE:E7:01:D6:
                            B8:AC:65:5F:63:31:02:07:66:28:7E:6C:21:57:C0:7D:
                            2B:02:3C:FD:02:21:00:D5:FF:F7:34:60:63:7F:F6:2B:
                            92:B1:09:92:97:36:50:C8:19:3F:0C:59:C4:E6:84:55:
                            33:B3:CE:B0:32:B9:82
Signature Algorithm: sha256WithRSAEncryption
     60:5e:46:fb:22:e6:f3:8d:cd:13:8a:71:de:96:ef:0e:4e:43:
     34:53:54:cb:f7:47:11:66:33:4d:3a:2b:44:e6:d5:64:a6:53:
     06:7d:ed:df:05:32:f6:73:e7:87:b3:11:53:fa:9d:73:5e:86:
     a4:b8:37:77:21:bd:2d:dd:76:e7:0c:94:02:21:b7:7b:15:54:
     5d:aa:a8:bf:b4:e1:66:c4:13:6d:e1:64:98:b9:0d:c7:99:ce:
     7b:2a:86:7d:2a:f2:51:79:bf:11:ce:a7:0b:4d:2a:14:62:85:
     73:70:d5:22:e9:7e:6f:de:90:59:63:fe:0f:78:b3:a1:df:85:
     1c:39:91:c4:a6:8c:b8:45:00:27:b4:e3:6e:69:46:a4:28:0b:
     3c:1d:e9:a0:24:8d:24:d9:84:5c:a7:02:45:a3:c9:12:dc:da:
     1b:c9:c1:7a:02:85:38:96:fc:55:43:90:db:bb:47:34:f0:f4:
     46:c5:0c:00:58:e0:fe:ed:58:c7:7b:9c:ba:fe:86:04:60:33:
     c5:06:82:01:b4:de:38:f6:05:45:50:e6:98:97:dd:c2:27:72:
     5f:21:02:cd:21:17:50:2f:aa:ab:da:e8:fb:df:78:59:da:25:
     ad:48:2d:c9:0e:f8:f7:7e:46:d1:b1:16:66:23:34:2e:80:27:
     c6:24:0e:50

Osiris · July 24, 2022, 11:03am

Well, that does look like your most recent certificate.. That whole "and have tried to copy the "IRSDA_root_cert" to cert.pem etc." you did, did you perhaps also already undo that? What did you do exactly?

samraw003 · July 24, 2022, 11:12am

Hi Osiris,

I was too dumb to keep track of all the stuff I did. However, few things I remember are:

There were two sets of certificates and I removed one of the directories. Luckily I kept following in the test.conf:
#SSLCertificateFile /etc/letsencrypt/live/apps.optimium.in/fullchain.pem
#SSLCertificateFile /etc/letsencrypt/live/apps.optimium.in/cert.pem
#SSLCertificateKeyFile /etc/letsencrypt/live/apps.optimium.in/privkey.pem
#SSLCertificateChainFile /etc/letsencrypt/live/apps.optimium.in/fullchain.pem
#SSLCertificateChainFile /etc/letsencrypt/live/apps.optimium.in/chain.pem

SSLCertificateFile /etc/letsencrypt/live/apps.optimium.in-0001/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/apps.optimium.in-0001/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/apps.optimium.in-0001/chain.pem

Probably, I did the concatenation of IRSDA_root_cert in the directory I have deleted.

Or, probably in archives. The deleted folder (for /etc/letsencrypt/live/apps.optimium.in) still exists in the archive folder.

Osiris · July 24, 2022, 11:14am

Hmkay.. And does certbot certificates still present an error about the current certificate?

samraw003 · July 24, 2022, 11:17am

Yes. It does. Following is the output:
[root@apps archive]# certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log
verifying the signature of the certificate located at /etc/letsencrypt/live/apps.optimium.in-0001/cert.pem has failed. Details:
Traceback (most recent call last):
File "/usr/lib/python2.7/site-packages/certbot/crypto_util.py", line 280, in verify_renewable_cert_sig
cert.signature_hash_algorithm)
File "/usr/lib/python2.7/site-packages/certbot/crypto_util.py", line 308, in verify_signed_payload
verifier.verify()
File "/usr/lib64/python2.7/site-packages/cryptography/hazmat/backends/openssl/rsa.py", line 370, in verify
self._hash_ctx.finalize()
File "/usr/lib64/python2.7/site-packages/cryptography/hazmat/backends/openssl/rsa.py", line 313, in _rsa_sig_verify
raise InvalidSignature
InvalidSignature
Renewal configuration file /etc/letsencrypt/renewal/apps.optimium.in-0001.conf produced an unexpected error: verifying the signature of the certificate located at /etc/letsencrypt/live/apps.optimium.in-0001/cert.pem has failed. Details: . Skipping.

The following renewal configurations were invalid:
/etc/letsencrypt/renewal/apps.optimium.in-0001.conf

Also, there seems to be "chain: issues:

Osiris · July 24, 2022, 11:46am

Please show the output of:

openssl x509 -noout -text </etc/letsencrypt/live/apps.optimium.in-0001/chain.pem

and the contents of: /etc/letsencrypt/live/apps.optimium.in-0001/fullchain.pem

I suspect you've overwritten chain.pem with the root certificate where it should be the intermediate.

samraw003 · July 24, 2022, 11:49am

openssl x509 -noout -text </etc/letsencrypt/live/apps.optimium.in-0001/chain.pem
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
40:01:77:21:37:d4:e9:42:b8:ee:76:aa:3c:64:0a:b7
Signature Algorithm: sha256WithRSAEncryption
Issuer: O=Digital Signature Trust Co., CN=DST Root CA X3
Validity
Not Before: Jan 20 19:14:03 2021 GMT
Not After : Sep 30 18:14:03 2024 GMT
Subject: C=US, O=Internet Security Research Group, CN=ISRG Root X1
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (4096 bit)
Modulus:
00:ad:e8:24:73:f4:14:37:f3:9b:9e:2b:57:28:1c:
87:be:dc:b7:df:38:90:8c:6e:3c:e6:57:a0:78:f7:
75:c2:a2:fe:f5:6a:6e:f6:00:4f:28:db:de:68:86:
6c:44:93:b6:b1:63:fd:14:12:6b:bf:1f:d2:ea:31:
9b:21:7e:d1:33:3c:ba:48:f5:dd:79:df:b3:b8:ff:
12:f1:21:9a:4b:c1:8a:86:71:69:4a:66:66:6c:8f:
7e:3c:70:bf:ad:29:22:06:f3:e4:c0:e6:80:ae:e2:
4b:8f:b7:99:7e:94:03:9f:d3:47:97:7c:99:48:23:
53:e8:38:ae:4f:0a:6f:83:2e:d1:49:57:8c:80:74:
b6:da:2f:d0:38:8d:7b:03:70:21:1b:75:f2:30:3c:
fa:8f:ae:dd:da:63:ab:eb:16:4f:c2:8e:11:4b:7e:
cf:0b:e8:ff:b5:77:2e:f4:b2:7b:4a:e0:4c:12:25:
0c:70:8d:03:29:a0:e1:53:24:ec:13:d9:ee:19:bf:
10:b3:4a:8c:3f:89:a3:61:51:de:ac:87:07:94:f4:
63:71:ec:2e:e2:6f:5b:98:81:e1:89:5c:34:79:6c:
76:ef:3b:90:62:79:e6:db:a4:9a:2f:26:c5:d0:10:
e1:0e:de:d9:10:8e:16:fb:b7:f7:a8:f7:c7:e5:02:
07:98:8f:36:08:95:e7:e2:37:96:0d:36:75:9e:fb:
0e:72:b1:1d:9b:bc:03:f9:49:05:d8:81:dd:05:b4:
2a:d6:41:e9:ac:01:76:95:0a:0f:d8:df:d5:bd:12:
1f:35:2f:28:17:6c:d2:98:c1:a8:09:64:77:6e:47:
37:ba:ce:ac:59:5e:68:9d:7f:72:d6:89:c5:06:41:
29:3e:59:3e:dd:26:f5:24:c9:11:a7:5a:a3:4c:40:
1f:46:a1:99:b5:a7:3a:51:6e:86:3b:9e:7d:72:a7:
12:05:78:59:ed:3e:51:78:15:0b:03:8f:8d:d0:2f:
05:b2:3e:7b:4a:1c:4b:73:05:12:fc:c6:ea:e0:50:
13:7c:43:93:74:b3:ca:74:e7:8e:1f:01:08:d0:30:
d4:5b:71:36:b4:07:ba:c1:30:30:5c:48:b7:82:3b:
98:a6:7d:60:8a:a2:a3:29:82:cc:ba:bd:83:04:1b:
a2:83:03:41:a1:d6:05:f1:1b:c2:b6:f0:a8:7c:86:
3b:46:a8:48:2a:88:dc:76:9a:76:bf:1f:6a:a5:3d:
19:8f:eb:38:f3:64:de:c8:2b:0d:0a:28:ff:f7:db:
e2:15:42:d4:22:d0:27:5d:e1:79:fe:18:e7:70:88:
ad:4e:e6:d9:8b:3a:c6:dd:27:51:6e:ff:bc:64:f5:
33:43:4f
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Key Usage: critical
Certificate Sign, CRL Sign
Authority Information Access:
CA Issuers - URI:http://apps.identrust.com/roots/dstrootcax3.p7c

        X509v3 Authority Key Identifier:
            keyid:C4:A7:B1:A4:7B:2C:71:FA:DB:E1:4B:90:75:FF:C4:15:60:85:89:10

        X509v3 Certificate Policies:
            Policy: 2.23.140.1.2.1
            Policy: 1.3.6.1.4.1.44947.1.1.1
              CPS: http://cps.root-x1.letsencrypt.org

        X509v3 CRL Distribution Points:

            Full Name:
              URI:http://crl.identrust.com/DSTROOTCAX3CRL.crl

        X509v3 Subject Key Identifier:
            79:B4:59:E6:7B:B6:E5:E4:01:73:80:08:88:C8:1A:58:F6:E9:9B:6E
Signature Algorithm: sha256WithRSAEncryption
     0a:73:00:6c:96:6e:ff:0e:52:d0:ae:dd:8c:e7:5a:06:ad:2f:
     a8:e3:8f:bf:c9:0a:03:15:50:c2:e5:6c:42:bb:6f:9b:f4:b4:
     4f:c2:44:88:08:75:cc:eb:07:9b:14:62:6e:78:de:ec:27:ba:
     39:5c:f5:a2:a1:6e:56:94:70:10:53:b1:bb:e4:af:d0:a2:c3:
     2b:01:d4:96:f4:c5:20:35:33:f9:d8:61:36:e0:71:8d:b4:b8:
     b5:aa:82:45:95:c0:f2:a9:23:28:e7:d6:a1:cb:67:08:da:a0:
     43:2c:aa:1b:93:1f:c9:de:f5:ab:69:5d:13:f5:5b:86:58:22:
     ca:4d:55:e4:70:67:6d:c2:57:c5:46:39:41:cf:8a:58:83:58:
     6d:99:fe:57:e8:36:0e:f0:0e:23:aa:fd:88:97:d0:e3:5c:0e:
     94:49:b5:b5:17:35:d2:2e:bf:4e:85:ef:18:e0:85:92:eb:06:
     3b:6c:29:23:09:60:dc:45:02:4c:12:18:3b:e9:fb:0e:de:dc:
     44:f8:58:98:ae:ea:bd:45:45:a1:88:5d:66:ca:fe:10:e9:6f:
     82:c8:11:42:0d:fb:e9:ec:e3:86:00:de:9d:10:e3:38:fa:a4:
     7d:b1:d8:e8:49:82:84:06:9b:2b:e8:6b:4f:01:0c:38:77:2e:
     f9:dd:e7:39

cat /etc/letsencrypt/live/apps.optimium.in-0001/fullchain.pem
-----BEGIN CERTIFICATE-----
MIIFJjCCBA6gAwIBAgISAyxK/eeHR3RrUtEZ47SQQs0AMA0GCSqGSIb3DQEBCwUA
MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
EwJSMzAeFw0yMjA3MDMwNzE4NTFaFw0yMjEwMDEwNzE4NTBaMBsxGTAXBgNVBAMT
EGFwcHMub3B0aW1pdW0uaW4wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
AQDUJPDj0J5kmh7Oi7TmEV/aDPRofwvbMsMlsCxxY4gE0VkOfZqqlfdYbhDmm62i
1BdTTR2Imf4xD1P+Qu7cdst4EI/a+Jfqsrw2BSolRJccH2fSZ7Aqd0V1MONUKo0Z
vbHG6hA2Ro0xR9WYoT9hhvq24oiqgnHlf3QACly8cpySh3z0HrcWW3XAG80t1bRo
5bU/Y6dE5T3irj7CgIc+YyUdnW/md4WZuTJOmYfXxVlTLbEV52ebGthiewZOStVt
tU9C2ubIUQRslid2EqugqGft8V44kbw2QhguXVGOQ/3VyJqDKs+tbFlMaw5YTt5n
RtuHesGfKAi4BsDhpZohkQDBAgMBAAGjggJLMIICRzAOBgNVHQ8BAf8EBAMCBaAw
HQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwHQYD
VR0OBBYEFNE8D9TYyIDB2JbxO7VbxWvD5DD/MB8GA1UdIwQYMBaAFBQusxe3WFbL
rlAJQOYfr52LFMLGMFUGCCsGAQUFBwEBBEkwRzAhBggrBgEFBQcwAYYVaHR0cDov
L3IzLm8ubGVuY3Iub3JnMCIGCCsGAQUFBzAChhZodHRwOi8vcjMuaS5sZW5jci5v
cmcvMBsGA1UdEQQUMBKCEGFwcHMub3B0aW1pdW0uaW4wTAYDVR0gBEUwQzAIBgZn
gQwBAgEwNwYLKwYBBAGC3xMBAQEwKDAmBggrBgEFBQcCARYaaHR0cDovL2Nwcy5s
ZXRzZW5jcnlwdC5vcmcwggEEBgorBgEEAdZ5AgQCBIH1BIHyAPAAdgDfpV6raIJP
H2yt7rhfTj5a6s2iEqRqXo47EsAgRFwqcwAAAYHDJBn4AAAEAwBHMEUCICcb2JVn
rbBJhV1wB2DaTXZaMgAzVky7L4mlD66PV4wYAiEAoWjTeKRV2K9nSQZBZYWu00Eg
+M9UdQusPSfALxzPFHgAdgApeb7wnjk5IfBWc59jpXflvld9nGAK+PlNXSZcJV3H
hAAAAYHDJBn8AAAEAwBHMEUCIFhmngMx10ne/ucB1risZV9jMQIHZih+bCFXwH0r
Ajz9AiEA1f/3NGBjf/YrkrEJkpc2UMgZPwxZxOaEVTOzzrAyuYIwDQYJKoZIhvcN
AQELBQADggEBAGBeRvsi5vONzROKcd6W7w5OQzRTVMv3RxFmM006K0Tm1WSmUwZ9
7d8FMvZz54ezEVP6nXNehqS4N3chvS3dducMlAIht3sVVF2qqL+04WbEE23hZJi5
DceZznsqhn0q8lF5vxHOpwtNKhRihXNw1SLpfm/ekFlj/g94s6HfhRw5kcSmjLhF
ACe0425pRqQoCzwd6aAkjSTZhFynAkWjyRLc2hvJwXoChTiW/FVDkNu7RzTw9EbF
DABY4P7tWMd7nLr+hgRgM8UGggG03jj2BUVQ5piX3cIncl8hAs0hF1Avqqva6Pvf
eFnaJa1ILckO+Pd+RtGxFmYjNC6AJ8YkDlA=
-----END CERTIFICATE-----

samraw003 · July 24, 2022, 11:52am

I think I added IRSDA_root_cert to the fullchain.pem