Certificates Not Valid But They Renewed Successfully [Windows]

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: ofw.wellbridge.com and members.wellbridge.com

I ran this command:

It produced this output:

My web server is (include version): IIS 6.1

The operating system my web server runs on is (include version): Windows 2008 R2

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

Mid-day today it looks like our Certificate has expired. When trying to open an https it reverts to http. The major problem is that a 3rd party, using an API web service is unable to communicate with this server now. When I check the certificate via IIS and win-acme 2.1.16.1037 it shows the Certificate renewed on 9/27/2021 and is valid till 12/26/2021.

Could this be part of the 9/30 cert changes?Cert

cert any site

I'm not very familiar with certificates. Not sure if there is anything I should try? I'm afraid of just requesting new certs and breaking the existing.

No need to request a new cert.
The Devil is in the details...

The intermediate(s) need to be served correctly.
This is what is being served now:

---
Certificate chain
 0 s:/CN=ofw.wellbridge.com
   i:/C=US/O=Let's Encrypt/CN=R3
 1 s:/C=US/O=Let's Encrypt/CN=R3
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3
---

This is the EXAMPLE to follow:

---
Certificate chain
 0 s:/CN=community.letsencrypt.org
   i:/C=US/O=Let's Encrypt/CN=R3
 1 s:/C=US/O=Let's Encrypt/CN=R3
   i:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
 2 s:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3
---

Which ACME client are you using? "win-acme 2.1.16.1037"?
[Is that current?]
So how did you create the PFX file?

1 Like

Looks like I got the win-acme.v2.1.16.1037.x64.pluggable on 4/9/2021
I just downloaded their latest win-acme.v2.1.18.1119.x64.pluggable

Not sure what the PFX file is? I run the win-acme, it creates the cert and then I go into IIS and point the Sites to that cert.

What should I do with the newer version of win-acme to get it to "update" the cert?

Thanks, I appreciare any help

Not sure how to set it to force that.
You could delete the cert and get a new one.
[but only do that once]

If it still fails, this may have more to do with Windows than the cert or ACME client.

I deleted the IIS certificate in my first post from the IIS > Site Certificates
Ran win-acme (newest version) and generated a new cert
In IIS > Edit Bindings I selected the new cert for my https but it's still not working?
I tried a reboot

Does this look right for the Trusted Root?

There seem to be a lot of certs missing:

What about this one? Should it have an expiration of 3/2021? How do I replace that with a new one if you think that's the problem?

Yes, that is an expired one.
Not part of the problem surfacing today.

There is a Windows site that provides the HOW TO update the cert store...
Let me find that info for you.

See: Release notes - Microsoft Trusted Root Certificate Program | Microsoft Docs

https://aka.ms/CTLDownload

I can't get the certificates to work. Half of my company has been down for 5.5 hours now because of this

1 Like

Hi it looks like you have switched one cert to ZeroSSL and the other is serving the current (android compatible) chain.

Please also see Let's Encrypt DST Root CA X3 expiry Sept 30th 2021 | Certify The Web Docs - although this is for a different client in Windows it still has some relevant information for Windows in general.

You may find that some clients (apps etc) are struggling due to them holding onto invalid certificate information, for these devices a reboot is recommended.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.