There you see your problem.
That's not the new R3 certificate, that's the old intermediate you use.
So that can't work with a new created certificate, the error is expected.
apiculture-formation.com has the old certificate, so that's correct.
Dear Jürgen, I am sorry that I cannot see what You see. I guess that probably all my other certificates might not work anymore too when they are renewed ?
Please tell me what I have to do to fix that.
Thank You very much.
Replace the ssl.ca file (shown in the image in your previous post) with this file:
It is the correct CA intermediate certificate for newly issued Let's Encrypt certificates.
This is the old one, which you are currently using:
Also, if you're using an up-to-date version of Webmin, consider letting the Webmin developers know that they seem to have hard-coded the old intermediate certificate, or at least that they're apparently not properly handling changes in the intermediate certificate (such as the one that took place recently).
According to the comments in that commit, you can also fix this by having Certbot installed, which will avoid the behavior where the chain is hardcoded.
So fullchain (via
SSLCertificateChainFile) appears to be deprecated in apache...
The files may also include intermediate CA certificates, sorted from leaf to root. This is supported with version 2.4.8 and later, and obsoletes
The Apache docs can claim it is deprecated, but until CentOS 7 EOL (July 2024) it won't really be the case.
knows nothing of the deprecation.
I copied the .pem of your link in my file ssl.ca but it is not better.
Did you replace the file entirely or did you try to combine them?
Please show the lines in the vhost config where you use the cert/chain/etc.
I replaced the text which was in the ssl.ca with the https://letsencrypt.org/certs/lets-encrypt-r3-cross-signed.pem.
Then I changed in this file
x3 -> r3
Now it works, thank You very much !!!
I guess I need to do the same changement for the ssl.ca files for all other websites on this server too ?
Sounds right to me.
I just don't understand why they're pinning the intermediate certificate. That's a recipe for failure.
There also isn't any need to do that, as their fallback ACME client (for which the intermediate pinning was build) outputs the complete chain when issuing a certificate. No need to pin the intermediate at all. I replied as such on that Github commit.
Thank you for opening this thread, it helped solving my problem.
Thank you very much for posting the solution, it helped solving my problem.
Welcome to the Let's Encrypt Community
You're quite welcome!
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.