Since few months, I have a problem of certificate with all my domains, including this domain :
- With Microsoft Edge, no problem.
- With Brave, no problem.
- With Firefox ; I often obtain that there is a problem with certificate authority (but not on all computers)
- With my Smartphone Android (Samsung Browser), I often obtain also that there is a problem with certificate authority (and from time to time, no problem)
Please, I tried many changes into the certificate and intermediate certificate, but nothing works perfectly.
Do you have any idea ?
Welcome to the community @Free_Being
Yes, the certificate chain your server is sending now is not correct. Try this website to check your chain. You now have an intermediate which expired earlier this year.
To help further we will need to know more answers to the questions shown on the form when you submitted this request. Please answer as best you can.
I used this command to create my certificate:
My Apache version is:
The operating system Apache runs on is (include version):
My hosting provider, if applicable, is:
I can login to a root shell on my machine (yes or no, or I don't know):
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
The version of my client used to get my certificate is (e.g. output of
certbot --version if you are using Certbot):
Thanks for your answer.
Here are the details :
- Apache version : 2.4.51
- Operating system : Windows 10 LTSB 2015
(I have a dedicated server)
- I can login with admins rights, with a full admin shell.
- Acme client : win-acme.v18.104.22.1689.x64.trimmed
Please, do you need any other informations ?
SSL Server Test: www.treshaut.net (Powered by Qualys SSL Labs)
Additionally, the site cert only covers the "www" name - it doesn't cover:
Please also show the lines from your Apache config related to SSLCertificateFile, and related KeyFile and/or ChainFile
Here are the lines from my Apache configuration :
Also, the SSL Server test said :
"Subject Let's Encrypt Authority X3
Fingerprint SHA256: 25847d668eb4f04fdd40b12b6b0740c567da7d024308eb6c2c96fe41d9de218d
Pin SHA256: YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg=
Valid until Wed, 17 Mar 2021 16:40:46 UTC (expired 8 months and 16 days ago) EXPIRED
Key RSA 2048 bits (e 65537)
Issuer DST Root CA X3"
I understand something is expired.
Is it the intermediate certificate ? I tried to download a new, but it don't change anything to the symptoms.
With your version of Apache you do not need the ChainFile setting and that is where the expired cert is coming from - so remove that.
Your win-acme should have created a file with the name
"...-chain.pem". You should use that in place of
"...-crt.pem" in your CertificateFile setting.
I do not have personal experience with win-acme but those are the names from their documentation.
After those changes, restart Apache and check your certificates with
Check with this site first! Do not test with browser until this site says it is ok. Browsers often make guesses about the cert chains when they are not right. Some browsers guess right and some wrong. Also, they may have cached bad info from before.
Thank you very much ! Everything is working now
PS : you are right, there is a "...-chain.pem" generated for each domain, and it works with that.
OK I see good certs now too.
But, you are not allowing TLS V1.2 - only TLS V1.3. That is your choice but some people may not be able to connect to you because of that.
It is good to not have TLS V1.0 and TLS V1.1 - but 1.2 is still safe.
You will notice the site I suggested to check your cert cannot connect but the SSL Labs site Rudy suggested will connect and shows you TLS 1.2 is not enabled (and shown in Red).
But, my website only need to be used from computers (not old Smartphones).
So, the risk is very low to be blocked with any computer.
I even tried old OS like Windows 7 x64 but with modern browser (Firefox, Edge and Chrome) : everything works with TLS 1.3
Thank you again.
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.