DST Root CA X3 Expiration

Apparently, this is still an issue with Let's Encrypt certificates. I have 30 plus websites running across multiple hosting companies. There certificates were installed via the hosting company interface - aka I clicked a button and filled in domain name and an email address. Every website is failing at Root 1

I am using this service to check my certificates:

CloudWays can't see anything wrong with the SSL cert, however, they are not using the sslchecker.com website.

If it was just this sslchecker website I wouldn't care, however, I use Kaspersky Internet Security and it is blocking any website with a Let's Encrypt certificate. Yes, I can add an exception, but many internet users are not this savvy and will just leave the website.

How many 10's of thousands of people use Kaspersky?

Hello @stevedigital, welcome to the Let's Encrypt community. :slightly_smiling_face:

I do not find any Root 1 here Chain of Trust - Let's Encrypt
and DST Root CA X3 has expired and not a Let's Encrypt's self signed Root Certificate
see here: DST Root CA X3 Expiration (September 2021) - Let's Encrypt

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

Thank you for assisting us in helping YOU!


Also this maybe of help as well Long (default) and Short (alternate) Certificate Chains Explained


Website: https://thesarasotaplumber.com/

What I see:

This is running on WordPress.
Hosted via CloudWays on Digital Ocean servers.

I just realized, this seems to be an issue with only the "www" version of the website.
Without adding www in front of the domain name, it works

This is what I see on Windows 10 with Firefox 106.0.3 (64-bit)

And again Windows 10 with Google Chrome Version 107.0.5304.88 (Official Build) (64-bit) I see:


That's not a Chrome error.

Do you have some kind of browser extension, firewall, antivirus messing up your network?


is not having any issues either.


Correct! Because the Subject CN and Alternative names (SAN) do not contain www.thesarasotaplumber.com in them


I think this URL is the issue - looks like there is a missing CNAME record


Thanks @Bruce5051 - very grateful for your assistance!


You are welcome @stevedigital, have a pleasant rest of the day. :slightly_smiling_face:


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.