DST Root CA X3 Expiration

Apparently, this is still an issue with Let's Encrypt certificates. I have 30 plus websites running across multiple hosting companies. There certificates were installed via the hosting company interface - aka I clicked a button and filled in domain name and an email address. Every website is failing at Root 1

I am using this service to check my certificates:
https://www.sslchecker.com/sslchecker

CloudWays can't see anything wrong with the SSL cert, however, they are not using the sslchecker.com website.

If it was just this sslchecker website I wouldn't care, however, I use Kaspersky Internet Security and it is blocking any website with a Let's Encrypt certificate. Yes, I can add an exception, but many internet users are not this savvy and will just leave the website.

How many 10's of thousands of people use Kaspersky?

Hello @stevedigital, welcome to the Let's Encrypt community. :slightly_smiling_face:

I do not find any Root 1 here Chain of Trust - Let's Encrypt
and DST Root CA X3 has expired and not a Let's Encrypt's self signed Root Certificate
see here: DST Root CA X3 Expiration (September 2021) - Let's Encrypt

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

Thank you for assisting us in helping YOU!

2 Likes

Also this maybe of help as well Long (default) and Short (alternate) Certificate Chains Explained

3 Likes

Website: https://thesarasotaplumber.com/

What I see:

This is running on WordPress.
Hosted via CloudWays on Digital Ocean servers.

I just realized, this seems to be an issue with only the "www" version of the website.
Without adding www in front of the domain name, it works

This is what I see on Windows 10 with Firefox 106.0.3 (64-bit)

And again Windows 10 with Google Chrome Version 107.0.5304.88 (Official Build) (64-bit) I see:

1 Like

That's not a Chrome error.

Do you have some kind of browser extension, firewall, antivirus messing up your network?

3 Likes

https://www.ssllabs.com/ssltest/analyze.html?d=thesarasotaplumber.com
is not having any issues either.

1 Like

Correct! Because the Subject CN and Alternative names (SAN) do not contain www.thesarasotaplumber.com in them

4 Likes

I think this URL is the issue - looks like there is a missing CNAME record

https://www.thesarasotaplumber.com/

Thanks @Bruce5051 - very grateful for your assistance!

4 Likes

You are welcome @stevedigital, have a pleasant rest of the day. :slightly_smiling_face:

2 Likes