Since few months, I have a problem of certificate with all my domains, including this domain : https://www.treshaut.net
With Microsoft Edge, no problem.
With Brave, no problem.
With Firefox ; I often obtain that there is a problem with certificate authority (but not on all computers)
With my Smartphone Android (Samsung Browser), I often obtain also that there is a problem with certificate authority (and from time to time, no problem)
Please, I tried many changes into the certificate and intermediate certificate, but nothing works perfectly.
Yes, the certificate chain your server is sending now is not correct. Try this website to check your chain. You now have an intermediate which expired earlier this year.
To help further we will need to know more answers to the questions shown on the form when you submitted this request. Please answer as best you can.
I used this command to create my certificate:
My Apache version is:
The operating system Apache runs on is (include version):
My hosting provider, if applicable, is:
I can login to a root shell on my machine (yes or no, or I don't know):
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
The version of my client used to get my certificate is (e.g. output of certbot --version if you are using Certbot):
Here are the lines from my Apache configuration :
SSLCertificateFile "Z:/MyServer/apache/conf/certs/www.treshaut.net-crt.pem"
SSLCertificateKeyFile "Z:/MyServer/apache/conf/certs/www.treshaut.net-key.pem"
SSLCertificateChainFile "Z:/MyServer/apache/conf/certs/ca-letsencrypt-crt.pem"
Also, the SSL Server test said :
"Subject Let's Encrypt Authority X3
Fingerprint SHA256: 25847d668eb4f04fdd40b12b6b0740c567da7d024308eb6c2c96fe41d9de218d
Pin SHA256: YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg=
Valid until Wed, 17 Mar 2021 16:40:46 UTC (expired 8 months and 16 days ago) EXPIRED
Key RSA 2048 bits (e 65537)
Issuer DST Root CA X3"
I understand something is expired.
Is it the intermediate certificate ? I tried to download a new, but it don't change anything to the symptoms.
With your version of Apache you do not need the ChainFile setting and that is where the expired cert is coming from - so remove that.
Your win-acme should have created a file with the name "...-chain.pem". You should use that in place of "...-crt.pem" in your CertificateFile setting.
I do not have personal experience with win-acme but those are the names from their documentation.
After those changes, restart Apache and check your certificates with https://decoder.link/sslchecker/www.treshaut.net/443
Check with this site first! Do not test with browser until this site says it is ok. Browsers often make guesses about the cert chains when they are not right. Some browsers guess right and some wrong. Also, they may have cached bad info from before.
But, you are not allowing TLS V1.2 - only TLS V1.3. That is your choice but some people may not be able to connect to you because of that.
It is good to not have TLS V1.0 and TLS V1.1 - but 1.2 is still safe.
You will notice the site I suggested to check your cert cannot connect but the SSL Labs site Rudy suggested will connect and shows you TLS 1.2 is not enabled (and shown in Red).
