Certificates Showing As Expired on some platforms

asasp · October 1, 2021, 8:42am

I'm facing the same issue, with a client's api endpoint. I get:

failed, reason: certificate has expired

They said the certificate is ok, I've checked it everywhere and it seems fine.
it's showing is not using the retired certificate.

What can I do? The client said other customers are able to access their apis just fine.

rg305 · October 1, 2021, 9:17am

Try importing the self-signed "ISRG Root X1" (and maybe rebooting afterwards)
https://letsencrypt.org/certs/isrgrootx1.der
[download it then double-click it to install it into the Windows Certificate store]

asasp · October 1, 2021, 9:21am

I'm accessing their API from a docker image on ECS in aws. So I would need to create a set of commands in the Dockerfile to run in the build. Does anyone have a straight up fix for this?

pete101 · October 2, 2021, 6:04pm

So I am having a similar problem with an Alexa skill calling a local Webservice (to control my Sonos system) running on a Pi. The Web call works fine from Chrome browser but when Alexa makes the same call it fails and reports:

Error: certificate has expired
at Error (native)
at TLSSocket. (_tls_wrap.js:1092:38)
at emitNone (events.js:86:13)
at TLSSocket.emit (events.js:185:7)
at TLSSocket._finishInit (_tls_wrap.js:610:8)
at TLSWrap.ssl.onhandshakedone (_tls_wrap.js:440:38) code: 'CERT_HAS_EXPIRED' }
2021-10-02T17:34:36.545Z aaf5a8ee-5b69-49e4-997b-7c8abb13addd { Error: certificate has expired at Error (native) at TLSSocket. (_tls_wrap.js:1092:38) at emitNone (events.js:86:13) at TLSSocket.emit (events.js:185:7) at TLSSocket._finishInit (_tls_wrap.js:610:8) at TLSWrap.ssl.onhandshakedone (_tls_wrap.js:440:38) code: 'CERT_HAS_EXPIRED' }

I have tried renewing my letsencrypt cert but is reports it does not need renewing and as above, the web service is configured to used fullchain.pem. This has worked fine for a number of years and has just recently stopped working. Does anyone have any ideas please? Thanks

pete101 · October 2, 2021, 7:43pm

So I sorted this by doing 3 things:

edit the file /etc/ca-certificates.conf and added the remove flag "!" to the DST_root_ca_xt3.crt.
!mozilla/DST_Root_CA_X3.crt

update certificates:
sudo update-ca-certificates

Forced a cert renew:
sudo certbot renew --force-renewal --preferred-chain "ISRG Root X1"
Updated my Alexa Skill to a later node.js runtime version

The first 2 on their own didn't work so I do wonder if just updating the skill runtime would have been enough... But all working again now

rg305 · October 2, 2021, 11:28pm

Hi @pete101 welcome to the LE community forum
And thank you for posting the clearly documented solution to the problem

system · November 1, 2021, 11:29pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.