Certificate renewal issue

From yesterday some of our clients are having issue loading the site. It shows the site is insecure. It is not the same for everyone. It loads fine for some and breaks for others. In some cases the page loads, but APIs sent on post method breaks. This is so weird. Please help us resolve this.

My domain is:
www.weddingwishlist.com

I ran this command:
sudo certbot --nginx -d www.weddingwishlist.com

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
An unexpected error occurred:
SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:765)
Please see the logfiles in /var/log/letsencrypt for more details.

I ran this command:
openssl s_client -connect www.weddingwishlist.com:443 | head

It produced this output:

depth=3 O = Digital Signature Trust Co., CN = DST Root CA X3
verify error:num=10:certificate has expired
notAfter=Sep 30 14:01:15 2021 GMT
CONNECTED(00000003)
---
Certificate chain
 0 s:/CN=www.weddingwishlist.com
   i:/C=US/O=Let's Encrypt/CN=R3
 1 s:/C=US/O=Let's Encrypt/CN=R3
   i:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
 2 s:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3
---

My web server is (include version):
nginx

The operating system my web server runs on is (include version):
CentOS 7

My hosting provider, if applicable, is:
Linode

I can login to a root shell on my machine (yes or no, or I don't know):
yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 0.37.2

1 Like

Your server is sending the long Android-compatible certificate chain. There are currently two chains available, both with different compatibility.

This chain is compatible with Android < 7.1, but is known to break OpenSSL < 1.1 (and other smaller TLS libraries). What TLS libraries (and versions) are your clients using? You might need to switch to the shorter chain, which is compatible with older OpenSSL, but incompatible with old Android.

For OpenSSL 1.0.2 clients (CentOS 7 ships OpenSSL 1.0.2), there are additional workarounds available (those need to be applied on every client): Old Let’s Encrypt Root Certificate Expiration and OpenSSL 1.0.2 - OpenSSL Blog

3 Likes

Hi @jaycherrytin, welcome to the LE community forum :slight_smile:

I hope the silence here is a good thing or that you are/well be, at least, well rested and ready to tackle this problem soon :slight_smile:
We are here should you need us.

1 Like

Our clients are mostly from mobile users. So, we need to support all android & iOS users.
Also, what do you mean by "need to be applied on every client". Does it mean, we should do modifications in every client device?

Is it possible that phantomJS could breaks in this process? It is not loading css & font files.

1 Like

That may not even be possible any longer when using a single LE cert trust path.
There are two trust paths and they each serve a different aged set of devices.

  • the longer path is useful in serving older Android devices but may cause problems with iOS
  • the shorter path is useful in serving modern devices but will cause problems with older Androids

You can either:

OR

  • switch to another free CA (until this problem gets resolved at LE - ETA = unknown)
    there are a few to choose from that are ACME client compatible
1 Like

We have multiple domains that our clients access. We can't point each one to 2 different domains.
Isn't there any other way we can make it work? If not, could you please suggest another free CA.

1 Like

ZeroSSL.com
BuyPass.com
Both should work with ACME protocol.

1 Like

Thanks a lot.
Is it possible that the same issue could arise in theirs as well?

2 Likes

Not likely (anytime soon).
[not until one of their roots expires - LOL]

1 Like

But it is possible nonetheless.

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.