Certificate invalid for some clients

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domains are: backup-rp.keytrak.com, backup-hou.keytrak.com, backup-rp.keyvault.net, backup-hou.keyvault.net

I use caddy to auto-manage my certificates.
I host an API, and most of my clients have no problem, but a handful are receiving the following error:
"x509: certificate has expired or is not yet valid"
These clients are using either Windows XP, Windows 7, or Windows 10.

Why would only some clients have a problem with the certificate?

@tss_reynolds Welcome to the Let's Encrypt community.

Your some of Windows Operation Systems are out of the Microsoft support cycle, possibly their Certificate Repositories (for Root Certificates especially) may be out of date (i.e. expired and/or missing).


@tss_reynolds To add to what Bruce said, your site seems fine and serves the "short" alternate chain from Lets Encrypt. Since you are using Caddy I am guessing you chose that chain for a purpose.

But, clients will need to have ISRG Root X1 in the CA trust store. It looks like even modern Windows clients are having problems so it seems the client product uses its own trust store and not the one in Windows. You need to find why that client does not have this in its store and get it added. This ISRG Root X1 was produced about 5 years ago so something has been neglected.

If the client package cannot be updated, you will need to use a different Certificate Authority which that client does support.


I did have the long chain. Saw another topic about that and fixed accordingly.
I am waiting to hear back from support on testing connection.
If they do not have the ISRG Root X1, can't they just download and install?

It depends on what CA certificate store the client is using. If it was just a browser that is one answer. If it is something else, and I think it is, then it might be up to the author of that client. Need to know more about the client - what is it, what version, which client failing on which version of Windows, that sort of thing.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.