Expired R3 chain

tgwaste · October 7, 2021, 7:57pm

Ever since updating my cert things are not working right. Any advice?

cert

rg305 · October 7, 2021, 8:20pm

Hi @tgwaste welcome to the LE community forum

That picture implies that you are serving a very old chain.
One that LE stopped providing back in May 2021.
But I can't be certain without testing the FQDN.

tgwaste · October 7, 2021, 8:45pm

*.twg.org is the domain

rg305 · October 7, 2021, 8:54pm

I would not be able to test such an FQDN:

That might be the wildcard used... but that's not very useful to me.

tgwaste · October 7, 2021, 8:57pm

twg.org or www.twg.org should be the same.

rg305 · October 7, 2021, 9:03pm

I see nothing wrong:

openssl s_client -connect www.twg.org:443 -servername www.twg.org | head
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = *.twg.org
verify return:1
CONNECTED(00000005)
---
Certificate chain
 0 s:CN = *.twg.org
   i:C = US, O = Let's Encrypt, CN = R3
 1 s:C = US, O = Let's Encrypt, CN = R3
   i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
 2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1
   i:O = Digital Signature Trust Co., CN = DST Root CA X3
---

tgwaste · October 7, 2021, 9:03pm

And yet nether Safari or Chrome likes the cert.

rg305 · October 7, 2021, 9:05pm

And I don't see the R3 > X3 shown in your picture.
I see R3 > X1 > X3.

Then try using the shorter chain R3 > X1.
Remove the last cert from the fullchain.pem file and restart web service.

tgwaste · October 7, 2021, 9:14pm

Looks like that worked, thank you!

orangepizza · October 7, 2021, 9:15pm

btw keep mind cert for *.example.com only covers single-depth subdomains. it won't valid for foo.baa.example.com

rg305 · October 7, 2021, 9:16pm

Glad to help
Cheers from Miami

#FreeCUBA

tgwaste · October 7, 2021, 9:16pm

is it required to keep the TXT record around when making a *.domain cert ?

orangepizza · October 7, 2021, 9:22pm

after use you can remove the txt record, each time you renew cert you will get new txt record to post

tgwaste · October 7, 2021, 9:23pm

Oh.. crappy. There goes automation.

rg305 · October 7, 2021, 9:24pm

Depending on the DNS Service Provider (DSP) used, there may be a way to fully automate the DNS adds/removes.

webprofusion · October 8, 2021, 1:57am

Your DNS appears to be google cloud, many acme clients already support automated DNS validation for such large providers. If not, you can script the updates yourself using their API. Other alternatives include acme-dns type services (CNAME delegation to a DNS challenge response service).

Osiris · October 8, 2021, 7:13am

Correct, certbot has a certbot-dns-google plugin available.

system · November 7, 2021, 7:13am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.