I am getting Your connection is not private ERROR because the certificate is invalid but the expiration on the certificate is November 26th '21 in MAC Chrome Version 93.0.4577.82 and version Version 94.0.4606.71 (latest) on my site iperQ.com from yesterday. Even https://letsencrypt.org/ and Wikipedia.org shows the same error.
Is something up?
1 Like
Same problems here.
2 Likes
Further testing has the same issue in Safari. I am using Firefox to write this post. I think the issue is on any site using Let's Encrypt R3
1 Like
Seems this is the problem (no idea on a fix though):
2 Likes
There was some Scheduled Maintenance yesterday
Let's Encrypt Status
Title: Boulder Update to release-2021-09-27
Planned Start: September 30, 2021 17:00 UTC
Expected End: September 30, 2021 17:45 UTC
Affected Infrastructure
Components: acme-v02.api.letsencrypt.org (Production), ocsp.root-x1.letsencrypt.org, {e1,e2,r3,r4}.o.lencr.org & ocsp.int-x{3..4}.letsencrypt.org
Locations: High Assurance Datacenter 1, High Assurance Datacenter 2
Details:
We will be updating Boulder to release-2021-09-27. Changelog is: Comparing release-2021-09-21...release-2021-09-27 · letsencrypt/boulder · GitHub This will be applied as a rolling restart. No downtime is expected.
Maybe this has something to do with it
2 Likes
Thanks for that
1 Like
If you reissue (not renew) your cert, it will grab the valid alternate cert chain. That should fix the iOS, Chrome & Safari problem.
7 Likes
Thanks so much
2 Likes
This was standard weekly maintenance, despite the fact that DST Root CA X3 expired.
4 Likes
Hi Jim,
I have run the following command:
certbot certonly --nginx --agree-tos --no-eff-email --email jgillmor@gmail.com
and got this:
Which names would you like to activate HTTPS for?
1: iperq.com
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel):
Certificate not yet due for renewal
You have an existing certificate that has exactly the same domains or certificate name you requested and isn't close to expiry.
(ref: /etc/letsencrypt/renewal/iperq.com.conf)
What would you like to do?
1: Keep the existing certificate for now
2: Renew & replace the certificate (may be subject to CA rate limits)
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): c
Operation canceled. You may re-run the client.
I entered C to cancel because you said not to renew. Should I have entered 2 to Renew & replace the certificate or am I totally off and be doing something else.
Thanks again for your help.
2 Likes
You can press 2 (Renew & replace).
If you still have a problem with Chrome & Safari, let us know. There are other fixes for this.
6 Likes
Unfortunately entering 2: Renew & replace the certificate, has not fixed the issue.
Any other suggestions
Thanks
2 Likes
As you've already seen and also read correctly earlier, that doesn't help. Only if you also changed the preferred root using --preferred-root "ISRG Root X1" it would have changed something. (That option requires certbot 1.12.0 or newer.)
The issue you're having is most likely Mac-related. Please check the Community for other Mac-threads related to the DST Root CA X3 expiry.
2 Likes
i used certbot certonly --nginx -d iperq.com -d www.iperq.com --agree-tos --no-eff-email --email jgillmor@gmail.com --preferred-root "ISRG Root X1" not working, it returned :
certbot: error: unrecogni-zed arguments: --preferred-root ISRG Root X1
A little research I tried: certbot certonly --nginx -d iperq.com -d www.iperq.com --agree-tos --no-eff-email --email jgillmor@gmail.com --preferred-chain "ISRG Root X1"
It did its thing but still not resolved the issue.
Anything else I could try
Thanks
2 Likes
Hi @JAG007,
The form --preferred-chain (not --preferred-root) is correct, and looking at your site now, it looks like it did what it was supposed to do.
It doesn't look like anyone in this thread has asked you what version of macOS you're running. Since Chrome uses the list of root CAs from the local operating system (not its own list), the version of macOS is much more important here than the version of Chrome.
According to the certificate compatibility list,
you need macOS 10.12.1 or later for compatibility with Let's Encrypt certificates from now on (unless you want to install a browser like Firefox that includes its own list of trusted root CAs). Which version of macOS are you running?
4 Likes
I have absolutely no idea why I said root instead of chain.. My apologies. Probably didn't have my coffee yet.
2 Likes
Thanks anyway
2 Likes
My Mac version 10.11.6
So that means that all mac machines running chrome on machines before 10.12 will have this issue.
WOW!!
Thanks for your help
2 Likes
In an ideal world, people wouldn't keep using unsupported software. So in an ideal world, this wouldn't be an issue.
3 Likes
I'm looking after the website for a not for profit and users reported the same issue with latest Chome Browser & Safari.
I'm renewing the certificate with
sudo certbot certonly --manual --preferred-challenges dns --server https://acme-v02.api.letsencrypt.org/directory
When I try to fix the issue by adding the preferred-chain argument I get the following
udo certbot certonly --manual --preferred-chain "ISRG Root X1" --preferred-challenges dns --server https://acme-v02.api.letsencrypt.org/directory
certbot: error: unrecognized arguments: --preferred-chain ISRG Root X1
1 Like