Certificate not valid, expired root

My domain is: https://www.paulhuangviolin.com
My web server is (include version): Apache 2.4.6
The operating system my web server runs on is: CentOS Linux 7.9.2009
I can login to a root shell on my machine: Yes
I'm using a control panel to manage my site: No
The version of my client is: 1.11.0

Hi, a client is reporting that their website isn't loading securely, even though it loads fine for me. When I check their certificate in my browser (Safari 15.1), this is what I see:

They sent me a screen cap of what they see when they check the certificate:

The one difference I see is the DST Root CA X3, which I believe has been deprecated. So I'm assuming that maybe this is a localized issue with the OS or browser software, but not 100% sure. Based on another screen cap they sent me, it looks like they are using an older version of Safari, but they also said that the same is happening with Chrome.

Any info on how I can fix this would be appreciated, thanks!

2 Likes

Yes, that is likely. It would be helpful to know the OS version for the failing client and the versions of the browser(s). And, if the Chrome attempt was on that same machine or a different problem.

Some info I hope is helpful ...

You are sending the default "long chain" from your server. It is the same chain this website uses (and many others). Browsers make their own chains to adapt to poorly configured servers and other reasons. You cannot tell what the server sent looking at the browser info. Use a site like this one instead:
https://decoder.link/sslchecker

The DST Root CA X3 is not deprecated although it did expire. There are some tradeoffs involved in using this "long chain". Here is a good overview with other links about the DST expiration and the long and alternate "short" chain. Probably more than you care to know but at least some parts will be helpful.

When you learn the details of the failing client post back here and we can provide better instruction.

5 Likes

Hi Mike,

I wasn't able to find out what the OS was for the client, but, I suggested they update to the latest and they reported back that the problem cleared up after that. I ran the website through SSL Checker you linked to and the report back was "all good."

Thanks very much for your help!

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.