I've been using Let's Encrypt with Posh-ACME for several years (currently version 4.17.0), to issue X.509 certicates to enable HTTPS for our customers websites.
This morning, I requested a certificate for 'vastgoeddemeyer.be' (and 'www.vastgoeddemeyer.be' in the SAN list), which succeeded without any errors.
Surfing to this website however, produces a NET::ERR_CERTIFICATE_TRANSPARENCY_REQUIRED error; see below.
I tried this in:
Google Chrome 111.0.5563.111 (Official Build) (64-bit) (cohort: Stable)
Microsoft Edge 111.0.1661.54 (Official build) (64-bit)
After this I went back to the previous certificate for this website, which is still valid for some time.
When I search crt.sh , the new certificate isn't found:
Any ideas what could have gone wrong here? Could it be possible that the new certicate wasn't written to the log somehow?
Thank you for your help!
Steven Volckaert
_az
March 27, 2023, 8:09am
2
Can you post the PEM of that certificate? I don't see it in Censys either, which is usually pretty quick the aggregate the logs.
I only see these:
3 Likes
Posh-ACME stores certificates in the CER format and I would have to do some research to convert this to the PEM format. I tried attaching the certificate's full chain (fullchain.cer) to this message, but the file format isn't allowed.
You can find the full chain of certificate 4899B241C2EE5254ED57C48C89EEE19772258488 below, does this help?
If you do require the file in the PEM format, then any pointers on how to convert CER to PEM on Windows Server (e.g. with PowerShell) would be very helpful.
Full certificate chain of certificate 4899B241C2EE5254ED57C48C89EEE19772258488 for [www.]vastgoeddemeyer.be:
-----BEGIN CERTIFICATE-----
MIIFQjCCBCqgAwIBAgISBHxwt3T3NN4ssGr/eSJRTpn0MA0GCSqGSIb3DQEBCwUA
MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
EwJSMzAeFw0yMzAzMjcwNjA2MThaFw0yMzA2MjUwNjA2MTdaMB0xGzAZBgNVBAMT
EnZhc3Rnb2VkZGVtZXllci5iZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
ggEBAItBoUnn0uq9OEsuHQSVqWQm2avhWfauJvVmWleyrnNj4G22N65tKQXaqeeA
V1yT1fYKMhVu92G7RDPiWTvvNb/ZLV1SUXRv7+IsfvduCm5CM//PAa69Oj7nFQES
XFX3lBneRY1XTHwKG190gA+AStkQVBZ5sj7TufJth+IWotbhZoR8qMj8Zbo6FtNq
N5TZEB4v++VJC0XBez5074xvl22hROVDuQYqE7yPolElwcupJEd205Mc/qx/8RGE
KnX7g6e01YRAdfkfgPGpneGXAiWtGevqn73nfFc/Mph2T4Ru13CIlZN2vrSxmoG6
F9z8gJJpzRguICdcthvjDjl0IskCAwEAAaOCAmUwggJhMA4GA1UdDwEB/wQEAwIF
oDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAd
BgNVHQ4EFgQU4Gk7KX+3AsXTfkGxNuhtDb+Muo4wHwYDVR0jBBgwFoAUFC6zF7dY
VsuuUAlA5h+vnYsUwsYwVQYIKwYBBQUHAQEESTBHMCEGCCsGAQUFBzABhhVodHRw
Oi8vcjMuby5sZW5jci5vcmcwIgYIKwYBBQUHMAKGFmh0dHA6Ly9yMy5pLmxlbmNy
Lm9yZy8wNQYDVR0RBC4wLIISdmFzdGdvZWRkZW1leWVyLmJlghZ3d3cudmFzdGdv
ZWRkZW1leWVyLmJlMEwGA1UdIARFMEMwCAYGZ4EMAQIBMDcGCysGAQQBgt8TAQEB
MCgwJgYIKwYBBQUHAgEWGmh0dHA6Ly9jcHMubGV0c2VuY3J5cHQub3JnMIIBBAYK
KwYBBAHWeQIEAgSB9QSB8gDwAHYAtz77JN+cTbp18jnFulj0bF38Qs96nzXEnh0J
gSXttJkAAAGHIeOfcgAABAMARzBFAiBrEORK8PeDhwS7O462BjfG1t8xcaK1rqIk
8uonis3QGwIhAI8tWhqghzVZgEOzxzeav1qhttwNpnnHeidbF4+lTfMVAHYAejKM
VNi3LbYg6jjgUh7phBZwMhOFTTvSK8E6V6NS61IAAAGHIeOfkwAABAMARzBFAiEA
yNdaf3+gES5Sf0tJg2luZk5e/VdQBeA4BZWBKi14grgCIG/fZBK9D+lzI2SSKx4Q
8rQ25GnoQjpDD57BA6jc6j0SMA0GCSqGSIb3DQEBCwUAA4IBAQBVgSl5xGhotAf1
TXafpQLdZj3Vg35Wmkmyo40+n3uEH86wZqGfXYiAjIQ7p3Wjz/sfTBdkNrEQGs4o
91mPNpslRyQrXLWBmgPzVtXm7njG1TwY2TRKJcUKlT+autreU+vJEVK/fB/hMpgi
t7MlXmfJRsHCR+0daSmWCN3O5AqwxEgISdqHlzGm5TBOd+NJjFHAdjCMVFUuq0WT
VFN15+1LxqsJgaTYPW0DfEKNgZA09H5PED8THTsbp2G1VzrxcVy/KHBJG6bNUa9i
RpXFX03yKKuHcLLs0VA/zrSPekhdwSoCxc+bGXeEe8lYy7Gfsxl0Dhb5yF8yoqab
Xgwhvs/n
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIFFjCCAv6gAwIBAgIRAJErCErPDBinU/bWLiWnX1owDQYJKoZIhvcNAQELBQAw
TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMjAwOTA0MDAwMDAw
WhcNMjUwOTE1MTYwMDAwWjAyMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg
RW5jcnlwdDELMAkGA1UEAxMCUjMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
AoIBAQC7AhUozPaglNMPEuyNVZLD+ILxmaZ6QoinXSaqtSu5xUyxr45r+XXIo9cP
R5QUVTVXjJ6oojkZ9YI8QqlObvU7wy7bjcCwXPNZOOftz2nwWgsbvsCUJCWH+jdx
sxPnHKzhm+/b5DtFUkWWqcFTzjTIUu61ru2P3mBw4qVUq7ZtDpelQDRrK9O8Zutm
NHz6a4uPVymZ+DAXXbpyb/uBxa3Shlg9F8fnCbvxK/eG3MHacV3URuPMrSXBiLxg
Z3Vms/EY96Jc5lP/Ooi2R6X/ExjqmAl3P51T+c8B5fWmcBcUr2Ok/5mzk53cU6cG
/kiFHaFpriV1uxPMUgP17VGhi9sVAgMBAAGjggEIMIIBBDAOBgNVHQ8BAf8EBAMC
AYYwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMBIGA1UdEwEB/wQIMAYB
Af8CAQAwHQYDVR0OBBYEFBQusxe3WFbLrlAJQOYfr52LFMLGMB8GA1UdIwQYMBaA
FHm0WeZ7tuXkAXOACIjIGlj26ZtuMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcw
AoYWaHR0cDovL3gxLmkubGVuY3Iub3JnLzAnBgNVHR8EIDAeMBygGqAYhhZodHRw
Oi8veDEuYy5sZW5jci5vcmcvMCIGA1UdIAQbMBkwCAYGZ4EMAQIBMA0GCysGAQQB
gt8TAQEBMA0GCSqGSIb3DQEBCwUAA4ICAQCFyk5HPqP3hUSFvNVneLKYY611TR6W
PTNlclQtgaDqw+34IL9fzLdwALduO/ZelN7kIJ+m74uyA+eitRY8kc607TkC53wl
ikfmZW4/RvTZ8M6UK+5UzhK8jCdLuMGYL6KvzXGRSgi3yLgjewQtCPkIVz6D2QQz
CkcheAmCJ8MqyJu5zlzyZMjAvnnAT45tRAxekrsu94sQ4egdRCnbWSDtY7kh+BIm
lJNXoB1lBMEKIq4QDUOXoRgffuDghje1WrG9ML+Hbisq/yFOGwXD9RiX8F6sw6W4
avAuvDszue5L3sz85K+EC4Y/wFVDNvZo4TYXao6Z0f+lQKc0t8DQYzk1OXVu8rp2
yJMC6alLbBfODALZvYH7n7do1AZls4I9d1P4jnkDrQoxB3UqQ9hVl3LEKQ73xF1O
yK5GhDDX8oVfGKF5u+decIsH4YaTw7mP3GFxJSqv3+0lUFJoi5Lc5da149p90Ids
hCExroL1+7mryIkXPeFM5TgO9r0rvZaBFOvV2z0gp35Z0+L4WPlbuEjN/lxPFin+
HlUjr8gRsI3qfJOQFy/9rKIJR0Y/8Omwt/8oTWgy1mdeHmmjk7j1nYsvC9JSQ6Zv
MldlTTKB3zhThV1+XWYp6rjd5JW1zbVWEkLNxE7GJThEUG3szgBVGP7pSWTUTsqX
nLRbwHOoq7hHwg==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIFYDCCBEigAwIBAgIQQAF3ITfU6UK47naqPGQKtzANBgkqhkiG9w0BAQsFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTIxMDEyMDE5MTQwM1oXDTI0MDkzMDE4MTQwM1ow
TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwggIiMA0GCSqGSIb3DQEB
AQUAA4ICDwAwggIKAoICAQCt6CRz9BQ385ueK1coHIe+3LffOJCMbjzmV6B493XC
ov71am72AE8o295ohmxEk7axY/0UEmu/H9LqMZshftEzPLpI9d1537O4/xLxIZpL
wYqGcWlKZmZsj348cL+tKSIG8+TA5oCu4kuPt5l+lAOf00eXfJlII1PoOK5PCm+D
LtFJV4yAdLbaL9A4jXsDcCEbdfIwPPqPrt3aY6vrFk/CjhFLfs8L6P+1dy70sntK
4EwSJQxwjQMpoOFTJOwT2e4ZvxCzSow/iaNhUd6shweU9GNx7C7ib1uYgeGJXDR5
bHbvO5BieebbpJovJsXQEOEO3tkQjhb7t/eo98flAgeYjzYIlefiN5YNNnWe+w5y
sR2bvAP5SQXYgd0FtCrWQemsAXaVCg/Y39W9Eh81LygXbNKYwagJZHduRze6zqxZ
Xmidf3LWicUGQSk+WT7dJvUkyRGnWqNMQB9GoZm1pzpRboY7nn1ypxIFeFntPlF4
FQsDj43QLwWyPntKHEtzBRL8xurgUBN8Q5N0s8p0544fAQjQMNRbcTa0B7rBMDBc
SLeCO5imfWCKoqMpgsy6vYMEG6KDA0Gh1gXxG8K28Kh8hjtGqEgqiNx2mna/H2ql
PRmP6zjzZN7IKw0KKP/32+IVQtQi0Cdd4Xn+GOdwiK1O5tmLOsbdJ1Fu/7xk9TND
TwIDAQABo4IBRjCCAUIwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYw
SwYIKwYBBQUHAQEEPzA9MDsGCCsGAQUFBzAChi9odHRwOi8vYXBwcy5pZGVudHJ1
c3QuY29tL3Jvb3RzL2RzdHJvb3RjYXgzLnA3YzAfBgNVHSMEGDAWgBTEp7Gkeyxx
+tvhS5B1/8QVYIWJEDBUBgNVHSAETTBLMAgGBmeBDAECATA/BgsrBgEEAYLfEwEB
ATAwMC4GCCsGAQUFBwIBFiJodHRwOi8vY3BzLnJvb3QteDEubGV0c2VuY3J5cHQu
b3JnMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly9jcmwuaWRlbnRydXN0LmNvbS9E
U1RST09UQ0FYM0NSTC5jcmwwHQYDVR0OBBYEFHm0WeZ7tuXkAXOACIjIGlj26Ztu
MA0GCSqGSIb3DQEBCwUAA4IBAQAKcwBslm7/DlLQrt2M51oGrS+o44+/yQoDFVDC
5WxCu2+b9LRPwkSICHXM6webFGJueN7sJ7o5XPWioW5WlHAQU7G75K/QosMrAdSW
9MUgNTP52GE24HGNtLi1qoJFlcDyqSMo59ahy2cI2qBDLKobkx/J3vWraV0T9VuG
WCLKTVXkcGdtwlfFRjlBz4pYg1htmf5X6DYO8A4jqv2Il9DjXA6USbW1FzXSLr9O
he8Y4IWS6wY7bCkjCWDcRQJMEhg76fsO3txE+FiYruq9RUWhiF1myv4Q6W+CyBFC
Dfvp7OOGAN6dEOM4+qR9sdjoSYKEBpsr6GtPAQw4dy753ec5
-----END CERTIFICATE-----
could you open advanced button on the error page?, those will print more verbose error in there
2 Likes
_az
March 27, 2023, 11:21am
5
The certificate is fine and has correct SCTs in it. I think it's probably impossible for Let's Encrypt to issue a certificate that hasn't been logged - the order finalization should fail.
I think we have occasionally seen users report this problem with brand new certificates on some platforms. I have a theory that it happens when the system clock is slightly behind and the OS observes an SCT "from the future" (because SCTs are not backdated by an hour, like the certificate validity period is).
I think Chrome on Windows uses the operating system's native SSL validator. You could try clearing the SSL state and seeing whether that makes a difference with the certificate in question.
5 Likes
I confirm certificate 4899B241C2EE5254ED57C48C89EEE19772258488 for [www.]vastgoeddemeyer.be works. Clearing SSL state wasn't necessary.
Thank you @_az for your analysis and help!
I now suspect the issue was caused by the system time not being up-to-date: A time change due to Daylight Saving Time occurred on Sunday 26 March 2023 02:00 (becoming 03:00), and the time on my PC might not have been in sync when I did the test: It was likely still on the old time (CET / UTC+1) while the certificate was issued on the new time (CEST / UTC+2), which indeed caused my PC to observe a certificate issued in the future.
4 Likes
system
Closed
April 26, 2023, 12:58pm
7
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.