Ever since updating my cert things are not working right. Any advice?
Hi @tgwaste welcome to the LE community forum
That picture implies that you are serving a very old chain.
One that LE stopped providing back in May 2021.
But I can't be certain without testing the FQDN.
*.twg.org is the domain
I would not be able to test such an FQDN:
That might be the wildcard used... but that's not very useful to me.
I see nothing wrong:
openssl s_client -connect www.twg.org:443 -servername www.twg.org | head
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = *.twg.org
verify return:1
CONNECTED(00000005)
---
Certificate chain
0 s:CN = *.twg.org
i:C = US, O = Let's Encrypt, CN = R3
1 s:C = US, O = Let's Encrypt, CN = R3
i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1
i:O = Digital Signature Trust Co., CN = DST Root CA X3
---
And yet nether Safari or Chrome likes the cert.
And I don't see the R3 > X3
shown in your picture.
I see R3 > X1 > X3
.
Then try using the shorter chain R3 > X1
.
Remove the last cert from the fullchain.pem
file and restart web service.
Looks like that worked, thank you!
btw keep mind cert for *.example.com only covers single-depth subdomains. it won't valid for foo.baa.example.com
Glad to help
Cheers from Miami
#FreeCUBA
is it required to keep the TXT record around when making a *.domain cert ?
after use you can remove the txt record, each time you renew cert you will get new txt record to post
Oh.. crappy. There goes automation.
Depending on the DNS Service Provider (DSP) used, there may be a way to fully automate the DNS adds/removes.
Your DNS appears to be google cloud, many acme clients already support automated DNS validation for such large providers. If not, you can script the updates yourself using their API. Other alternatives include acme-dns type services (CNAME delegation to a DNS challenge response service).
Correct, certbot has a certbot-dns-google plugin available.
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.