Error with newly retrieved certificates - TLSV1_ALERT_UNKNOWN_CA

doom369 · December 4, 2020, 10:31am

Hello. I'm using Let's Encrypt for the last 4 years.
I have multiple servers that automatically update the certificates before they expired.

Yesterday, one of the servers updated the certificate and devices that were using the tls connection stop connecting to it with the next error:

Reason : javax.net.ssl.SSLHandshakeException: error:10000418:SSL routines:OPENSSL_internal:TLSV1_ALERT_UNKNOWN_CA

The new certificate works just fine when I open the site from the browser. I checked with another server. The situation is the same - the newly retrived certificate causes the above error for all ssl/tls connections. The old certificate works fine.

The main diff I found between:

New (non working):
CN = R3
O = Let's Encrypt
C = US

Old (working):
CN = Let's Encrypt Authority X3
O = Let's Encrypt
C = US

Could you please advise?

Looks similar to OCSP Responder ‘unauthorized’ error. Could it be the same issue? Urls seems correct:

        Authority Information Access: 
            OCSP - URI:http://r3.o.lencr.org
            CA Issuers - URI:http://r3.i.lencr.org/

doom369 · December 4, 2020, 2:09pm

Ok, found the problem. The clients actually had a hardcoded issuer and Let's Encrypt had changed issuer recently.

Osiris · December 4, 2020, 3:03pm

Yeah, never hardcode anything if it isn't necessary.

system · January 3, 2021, 3:03pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Issue with renew the certificate Help	11	6641	July 13, 2016
Having issues with renewed certificate Help	5	72	August 30, 2024
OCSP Responder ‘unauthorized’ error Help	3	5289	January 2, 2021
Revocation status and DNS CAA - OCSP ERROR Help	3	1216	November 10, 2017
All our network blocked/banned Help	2	2914	January 20, 2017

Error with newly retrieved certificates - TLSV1_ALERT_UNKNOWN_CA

Related topics