Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
##The certbot renewal went through but still when we hit the URL it says that the issued certificate has expired
My domain is:
I ran this command: wget URL
It produced this output: Issued certificate has expired.
My web server is (include version):
The operating system my web server runs on is (include version):RHEL7
My hosting provider, if applicable, is:
I can login to a root shell on my machine (yes or no, or I don't know):yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):certbot 0.29.1
Thank you for following up on this.
Certbot renewal was successful but below is the error, do we need to renew the root certificate from Certbot website, is it so ?
CONNECTED(00000003)
depth=3 O = Digital Signature Trust Co., CN = DST Root CA X3
verify error:num=10:certificate has expired
notAfter=Sep 30 14:01:15 2021 GMT
###########################################Requested output###########################
CONNECTED(00000003)
depth=3 O = Digital Signature Trust Co., CN = DST Root CA X3
verify error:num=10:certificate has expired
notAfter=Sep 30 14:01:15 2021 GMT
Ah, that looks like the CA root cert store on your RHEL7 is badly out of date.
That said, your cert is not necessarily bad. See a site like this and I think you will find it verifies successfully. Just enter your domain name and port 443 to test HTTPS access.
Do you need the WGET on your own server to succeed? Or are you just concerned by the message?
You are showing a part of the "long chain" that your server uses. Here is more background info on the long and short chains. Note that most sites use the long chain like yours even this forum website
Thank you for the confirmation that cert will still work when we connect from our internal network but when we connect externally it still throws error that the site i snot secured
Also possibility (on older versions of Apache) that you are using a very outdated chain file.
Of course, without any real information, we can only guess.
We are trying to help but you do not give us much info.
I think you have an old CA Certificates root store. An updated package was created last Sept to address problems that occurred when DST Root CA X3 expired on Sept30. See this topic. I know the title says RHEL/CentOS6 but info on RHEL7 is there too.
One way to confirm you have an old root store is with this: