Nice fireworks! The numbers were dancing before too.
4 Likes
On Safari and Chrome I'm getting an issue now with the certificate expiry; it works fine on Firefox and with my iOS devices. I tried renewing the certificate with certbot, and my OpenSSL version is 1.1.1f. Anything I might have overlooked here?
Have you tried to clear the browser cache? That might work.
1 Like
I'd try force-quitting both browsers, re-opening, and trying again. Chrome in particular is known for caching cert related stuff for longer than necessary.
Your site is also not currently serving anything but the leaf certificate which can lead to additional problems. You probably want to fix that so it's sending at least the R3 intermediate cert as well.
3 Likes
Hi @Jamil, welcome to the LE community forum 
It seems that site isn't serving any chain at all:
---
Certificate chain
0 s:/CN=stxnft.com
i:/C=US/O=Let's Encrypt/CN=R3
---
3 Likes
Well I tried to find IIS sites that are serving LE certs.
I only found four.
Three of which switched automagically to the valid path.
But one did fail to do so:
I'm not familiar with the sites nor any details other than they use IIS/10.
So that's a very unscientific 25% failure on first impact.
2 Likes
Thank you for the warm welcome and the prompt response 
That was it! Obvious mistake on my end but wouldn't have noticed it until you mentioned it, the site seems all good now. Really appreciate the help and all the great work y'all do.
4 Likes
Yup, it sends the currently default (correct) certificate chain now. 
4 Likes
Actually in rereview, out of the 3 that did "work", none are using the longer preferred chain:
They are only serving the single intermediate:
1 s:/C=US/O=Let's Encrypt/CN=R3
i:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
I think we are going to be hearing more about these Windows IIS system problems very soon.
Anyone here have an IIS system we can check?
3 Likes
I only have one Windows machine that I had purposefully left the serving the expiring R3 cert on. And it did not automatically switch to the new R3 which is unfortunate. However, I did find a way to get it to switch that does not require a reboot. But you need to know the current thumbprint of at least one cert associated with a binding in IIS and you need to be on IIS 8.5 or later (which means Windows Server 2012 R2, Windows 8.1, or newer).
Run the following from an elevated cmd prompt using the cert thumbprint for both the oldcert and newcert parameters.
%SYSTEMROOT%\system32\inetsrv\appcmd.exe renew binding /oldcert:THUMBPRINT /newcert:THUMBPRINT
3 Likes
But does it now serve one or two intermediates?
1 Like
Only one...which is expected based on prior testing and given the server admin hasn't touched anything related to the Root or Intermediate trust stores.
In order to get Windows to serve the android-compatible long chain, you need to manually import the cross-signed ISRG Root cert into the Intermediate trust store and then either reboot or run that same appcmd.exe thing I posted earlier.
3 Likes
This is the expected example:
---
Certificate chain
0 s:/CN=community.letsencrypt.org
i:/C=US/O=Let's Encrypt/CN=R3
1 s:/C=US/O=Let's Encrypt/CN=R3
i:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
2 s:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
i:/O=Digital Signature Trust Co./CN=DST Root CA X3
---
Which would work for Oldroids
3 Likes
Then Windows IIS systems will now be inaccessible to Oldroids (unless admins take action).
1 Like
Yes. Or unless they had take action prior to the R3 expiration.
3 Likes
Now that the R3 intermediate certificate has officially expired, I can confirm that Windows Server 2019 (IIS 10) has automatically started serving the ISRG Root X1 root certificate chain in the next second after it expires. No reboot or any additional server-side action required. After the expiration of the R3 intermediate certificate, the alternative chain was initially used (with ISRG Root X1 self-signed certificate), but after a few minutes it started to use the default chain (with DST Root CA X3 certificate).
3 Likes
Fascinating. My own Server 2019 did not switch automatically. But it's possible that's because I had been mucking with the cert stores in advance of the expiration for testing and only set them back to their pre-mucking defaults manually this morning.
3 Likes
Hi @Cryptoman, welcome to the LE community forum
Which tool is that you used?
1 Like
This is webprofusions new tool:
2 Likes
I'm using the Chain Checker tool developed by Certify The Web. https://chainchecker.certifytheweb.com/
2 Likes