Nice fireworks! The numbers were dancing before too.
On Safari and Chrome I'm getting an issue now with the certificate expiry; it works fine on Firefox and with my iOS devices. I tried renewing the certificate with certbot, and my OpenSSL version is 1.1.1f. Anything I might have overlooked here?
Have you tried to clear the browser cache? That might work.
I'd try force-quitting both browsers, re-opening, and trying again. Chrome in particular is known for caching cert related stuff for longer than necessary.
Your site is also not currently serving anything but the leaf certificate which can lead to additional problems. You probably want to fix that so it's sending at least the R3 intermediate cert as well.
Hi @Jamil, welcome to the LE community forum
It seems that site isn't serving any chain at all:
--- Certificate chain 0 s:/CN=stxnft.com i:/C=US/O=Let's Encrypt/CN=R3 ---
Well I tried to find IIS sites that are serving LE certs.
I only found four.
Three of which switched automagically to the valid path.
But one did fail to do so:
I'm not familiar with the sites nor any details other than they use IIS/10.
So that's a very unscientific 25% failure on first impact.
Thank you for the warm welcome and the prompt response
That was it! Obvious mistake on my end but wouldn't have noticed it until you mentioned it, the site seems all good now. Really appreciate the help and all the great work y'all do.
Yup, it sends the currently default (correct) certificate chain now.
Actually in rereview, out of the 3 that did "work", none are using the longer preferred chain:
They are only serving the single intermediate:
1 s:/C=US/O=Let's Encrypt/CN=R3 i:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
I think we are going to be hearing more about these Windows IIS system problems very soon.
Anyone here have an IIS system we can check?
I only have one Windows machine that I had purposefully left the serving the expiring R3 cert on. And it did not automatically switch to the new R3 which is unfortunate. However, I did find a way to get it to switch that does not require a reboot. But you need to know the current thumbprint of at least one cert associated with a binding in IIS and you need to be on IIS 8.5 or later (which means Windows Server 2012 R2, Windows 8.1, or newer).
Run the following from an elevated cmd prompt using the cert thumbprint for both the oldcert and newcert parameters.
%SYSTEMROOT%\system32\inetsrv\appcmd.exe renew binding /oldcert:THUMBPRINT /newcert:THUMBPRINT
But does it now serve one or two intermediates?
Only one...which is expected based on prior testing and given the server admin hasn't touched anything related to the Root or Intermediate trust stores.
In order to get Windows to serve the android-compatible long chain, you need to manually import the cross-signed ISRG Root cert into the Intermediate trust store and then either reboot or run that same
appcmd.exe thing I posted earlier.
This is the expected example:
--- Certificate chain 0 s:/CN=community.letsencrypt.org i:/C=US/O=Let's Encrypt/CN=R3 1 s:/C=US/O=Let's Encrypt/CN=R3 i:/C=US/O=Internet Security Research Group/CN=ISRG Root X1 2 s:/C=US/O=Internet Security Research Group/CN=ISRG Root X1 i:/O=Digital Signature Trust Co./CN=DST Root CA X3 ---
Which would work for Oldroids
Then Windows IIS systems will now be inaccessible to Oldroids (unless admins take action).
Yes. Or unless they had take action prior to the R3 expiration.
Now that the R3 intermediate certificate has officially expired, I can confirm that Windows Server 2019 (IIS 10) has automatically started serving the ISRG Root X1 root certificate chain in the next second after it expires. No reboot or any additional server-side action required. After the expiration of the R3 intermediate certificate, the alternative chain was initially used (with ISRG Root X1 self-signed certificate), but after a few minutes it started to use the default chain (with DST Root CA X3 certificate).
Fascinating. My own Server 2019 did not switch automatically. But it's possible that's because I had been mucking with the cert stores in advance of the expiration for testing and only set them back to their pre-mucking defaults manually this morning.
Hi @Cryptoman, welcome to the LE community forum
Which tool is that you used?
This is webprofusions new tool:
I'm using the Chain Checker tool developed by Certify The Web. https://chainchecker.certifytheweb.com/