Expired R3 intermediate cert and FreeBSD

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: arbor.potrzebie.org

I ran this command: (in browser) https://arbor.potrzebie.org

It produced this output: Your connection is not private: NET::ERR_CERT_DATE_INVALID

My web server is (include version): nginx-1.20.1_2,2

The operating system my web server runs on is (include version): FreeBSD 13.0-RELEASE-p4

My hosting provider, if applicable, is: self

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.18.0

Greetings. The webserver arbor.potrzebie.org uses an intermediate R3 cert from DST which expired today. As a result it's no longer reachable using https.

I've seen other posts saying just rebooting other OSs will force the server to use the LE R3 cert (which expires in 2025) instead of the expired DST one. That's not the case with this FreeBSD server.

Thanks in advance for clues on how to update the trust chain here. I tried 'certbot renew --force-renew' but that failed, presumably because the system relies on an expired intermediate cert.

This server isn't sending any intermediate certificates. A server reboot won't change that.

You should configure your server to send the correct intermediates, this should clear things up.

You probably need to change your nginx to use the fullchain.pem file provided by certbot to achieve this.

1 Like

Thanks to @Nummer378 and @octarinestudio -- you're both right, and I regret that I can only mark one of your replies as the solution.

In my nginx configuration, pointing to fullchain.pem instead of cert.pem cleared up the issue. Thanks again!


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.