DST Root CA certificate not yet valid - Fixed


I have installed your certifications in my domain from the past years but now i am trying to integrate with another service and they have notice that one of certificates in the chain is not valid more specific the certificate issued by DST Root CA X3 and i admit that I am bit lost in how to solve or ammend this problem. Any possible direction would be highly appreciated.. I have paste an screenshot of the complain of the service just in case it helps.

Thanks very much for you attention,

My domain is:

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):
Ubuntu 18.04.1 LTS

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 1.29.0

The DST Root CA X3 root certificate has expired. It's only used for Android compatibility for Android versions pre-7.1. Usually, TLS clients would just ignore the DST Root CA X3 and would validate the R3 intermediate signed by the ISRG Root X1 root certificate, provided that TLS client has this root cert in its root certificate store.

See Extending Android Device Compatibility for Let's Encrypt Certificates - Let's Encrypt for more information.


The link @Osiris gave talks about an "alternate chain" that can be configured so your web server doesn't serve the copy of "ISRG Root X1" that points to the expired DST Root. Here's a bit more info on the difference between the chains.

Since you're on Linux using an up-to-date version of certbot with nginx, you should be able to use the alternate chain by including --preferred-chain "ISRG Root X1" in your certbot commands. I'm not exactly sure the best way to modify existing orders. But I'm sure others more familiar with certbot might be able to provide that guidance.


Also the reason you can view the cert in Windows and the chain looks ok is because Windows knows DST Root CA X3 is expired and builds the alternate chain itself, but your actual service can still be serving using the the old chain. See also https://chainchecker.certifytheweb.com/


Thanks very much i will swap to short chain and see if solves the problem.

1 Like

Thanks alot. I will try that.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.