Certificates Showing As Expired on some platforms

That means that your server is sending that cert - which is already in the trust store (not good).
And that cert is actually already expired (also not good - unless you are an old Android device).

no it didn't sent by server - just meaning last intermediate server sent will point to that

1 Like

How do I stop it sending that one, and start sending the right one?

My word, now I know how all the people whose computers I fix feel when they are asking me what look like simple questions to them but I know have complex answers. :rofl:

1 Like

The web server seems correct (or as correct as it can be today).
The problem is with your email system - it isn't using the chain at all.

Thanks, parameter in which file?

/etc/dovecut/conf.d/10-ssl? or /etc/dovecut/dovcut.conf?
whereever your dovecut config is

1 Like

Thanks, it's set to to that already I think?:

10-ssl.conf:ssl_cert = < /etc/letsencrypt/live/tenjinconsulting.co.uk/fullchain.pem

1 Like

Looking further, local.conf in /etc/dovecot has the following lines. Does this make any difference?:

ssl_cert = </etc/letsencrypt/live/tenjinconsulting.co.uk/cert.pem
ssl_key = </etc/letsencrypt/live/tenjinconsulting.co.uk/privkey.pem

ya cert.pem doesn't have any intermediates

1 Like

Change cert.pem to fullchain.pem and reload Dovecot.

Is there also a SMTP service running somewhere? Ah yes, SMTP with STARTTLS on port 25 also misses the intermediate certificate. Please also update and reload your SMTP service.

Thanks everyone, I'll try those and report back. :+1:

Thanks for your help everyone, it looks like this is now fixed.

Moving all references to "cert.pem" to "fullchain.pem" seems to have fixed it.

Thanks again!


I'm facing the similar issue on chrome browser while accessing my website where as it works fine on Mozilla Firefox. Can you please let us know if there is any possible workaround to mitigate this issue.

Google Chrome 94.0.4606.71 (Official Build) (64-bit) (cohort: Stable Installs & Full Version Pins)
Revision 1d32b169326531e600d836bd395efc1b53d0f6ef-refs/branch-heads/4606@{#1256}
OS Windows 7 Service Pack 1 (Build 7601)
JavaScript V8
User Agent Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.71 Safari/537.36
Command Line C:\Program Files\Google\Chrome\Application\chrome.exe --from-installer --flag-switches-begin --flag-switches-end
Executable Path C:\Program Files\Google\Chrome\Application\chrome.exe

Windows Information:
Operating System: Windows 7 Professional 64-bit (6.1, Build 7601) Service Pack 1 (7601.win7sp1_gdr.130828-1532)


I'm facing the same issue, with a client's api endpoint. I get:

failed, reason: certificate has expired

They said the certificate is ok, I've checked it everywhere and it seems fine.
it's showing is not using the retired certificate.

What can I do? The client said other customers are able to access their apis just fine.

Try importing the self-signed "ISRG Root X1" (and maybe rebooting afterwards)
[download it then double-click it to install it into the Windows Certificate store]


I'm accessing their API from a docker image on ECS in aws. So I would need to create a set of commands in the Dockerfile to run in the build. Does anyone have a straight up fix for this?

So I am having a similar problem with an Alexa skill calling a local Webservice (to control my Sonos system) running on a Pi. The Web call works fine from Chrome browser but when Alexa makes the same call it fails and reports:

Error: certificate has expired
at Error (native)
at TLSSocket. (_tls_wrap.js:1092:38)
at emitNone (events.js:86:13)
at TLSSocket.emit (events.js:185:7)
at TLSSocket._finishInit (_tls_wrap.js:610:8)
at TLSWrap.ssl.onhandshakedone (_tls_wrap.js:440:38) code: 'CERT_HAS_EXPIRED' }
2021-10-02T17:34:36.545Z aaf5a8ee-5b69-49e4-997b-7c8abb13addd { Error: certificate has expired at Error (native) at TLSSocket. (_tls_wrap.js:1092:38) at emitNone (events.js:86:13) at TLSSocket.emit (events.js:185:7) at TLSSocket._finishInit (_tls_wrap.js:610:8) at TLSWrap.ssl.onhandshakedone (_tls_wrap.js:440:38) code: 'CERT_HAS_EXPIRED' }

I have tried renewing my letsencrypt cert but is reports it does not need renewing and as above, the web service is configured to used fullchain.pem. This has worked fine for a number of years and has just recently stopped working. Does anyone have any ideas please? Thanks


So I sorted this by doing 3 things:

  1. edit the file /etc/ca-certificates.conf and added the remove flag "!" to the DST_root_ca_xt3.crt.

update certificates:
sudo update-ca-certificates

  1. Forced a cert renew:
    sudo certbot renew --force-renewal --preferred-chain "ISRG Root X1"

  2. Updated my Alexa Skill to a later node.js runtime version

The first 2 on their own didn't work so I do wonder if just updating the skill runtime would have been enough... But all working again now


Hi @pete101 welcome to the LE community forum :slight_smile:
And thank you for posting the clearly documented solution to the problem :slight_smile:

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.