Certificate renewal issue

jaycherrytin · October 1, 2021, 11:06am

From yesterday some of our clients are having issue loading the site. It shows the site is insecure. It is not the same for everyone. It loads fine for some and breaks for others. In some cases the page loads, but APIs sent on post method breaks. This is so weird. Please help us resolve this.

My domain is:
www.weddingwishlist.com

I ran this command:
sudo certbot --nginx -d www.weddingwishlist.com

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
An unexpected error occurred:
SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:765)
Please see the logfiles in /var/log/letsencrypt for more details.

I ran this command:
openssl s_client -connect www.weddingwishlist.com:443 | head

It produced this output:

depth=3 O = Digital Signature Trust Co., CN = DST Root CA X3
verify error:num=10:certificate has expired
notAfter=Sep 30 14:01:15 2021 GMT
CONNECTED(00000003)
---
Certificate chain
 0 s:/CN=www.weddingwishlist.com
   i:/C=US/O=Let's Encrypt/CN=R3
 1 s:/C=US/O=Let's Encrypt/CN=R3
   i:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
 2 s:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3
---

My web server is (include version):
nginx

The operating system my web server runs on is (include version):
CentOS 7

My hosting provider, if applicable, is:
Linode

I can login to a root shell on my machine (yes or no, or I don't know):
yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 0.37.2

Nummer378 · October 1, 2021, 1:59pm

Your server is sending the long Android-compatible certificate chain. There are currently two chains available, both with different compatibility.

This chain is compatible with Android < 7.1, but is known to break OpenSSL < 1.1 (and other smaller TLS libraries). What TLS libraries (and versions) are your clients using? You might need to switch to the shorter chain, which is compatible with older OpenSSL, but incompatible with old Android.

For OpenSSL 1.0.2 clients (CentOS 7 ships OpenSSL 1.0.2), there are additional workarounds available (those need to be applied on every client): Old Let’s Encrypt Root Certificate Expiration and OpenSSL 1.0.2 - OpenSSL Blog

rg305 · October 2, 2021, 3:25am

Hi @jaycherrytin, welcome to the LE community forum

I hope the silence here is a good thing or that you are/well be, at least, well rested and ready to tackle this problem soon
We are here should you need us.

jaycherrytin · October 2, 2021, 4:59am

Our clients are mostly from mobile users. So, we need to support all android & iOS users.
Also, what do you mean by "need to be applied on every client". Does it mean, we should do modifications in every client device?

Is it possible that phantomJS could breaks in this process? It is not loading css & font files.

rg305 · October 4, 2021, 8:21am

That may not even be possible any longer when using a single LE cert trust path.
There are two trust paths and they each serve a different aged set of devices.

the longer path is useful in serving older Android devices but may cause problems with iOS
the shorter path is useful in serving modern devices but will cause problems with older Androids

You can either:

Provide two separate FQDNs:
one for older androids: old.EXAMPLE.com
one for modern systems: EXAMPLE.com

OR

switch to another free CA (until this problem gets resolved at LE - ETA = unknown)
there are a few to choose from that are ACME client compatible

jaycherrytin · October 4, 2021, 10:16am

We have multiple domains that our clients access. We can't point each one to 2 different domains.
Isn't there any other way we can make it work? If not, could you please suggest another free CA.

rg305 · October 4, 2021, 10:18am

ZeroSSL.com
BuyPass.com
Both should work with ACME protocol.

jaycherrytin · October 4, 2021, 10:22am

Thanks a lot.
Is it possible that the same issue could arise in theirs as well?

rg305 · October 4, 2021, 10:31am

Not likely (anytime soon).
[not until one of their roots expires - LOL]

Osiris · October 4, 2021, 5:19pm

But it is possible nonetheless.

system · November 3, 2021, 5:20pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
SSL Certificate Renewal Failing for My Website Help	8	116	December 20, 2024
Unable to renew certificates - expiring 10/03/17! Help	7	2539	April 9, 2017
Certbot, certificate verify failed Help	18	2562	April 8, 2022
Site not working after renewal of certificate Help	4	2599	January 31, 2018
Recent Renewal issues Help	3	455	October 17, 2020

Certificate renewal issue

Related topics