Due to the expired R3 certificate some client applications accessing my server (namely nextcloud Client on Windows, Android and iOS, DAVx⁵ on Android) yield certificate warnings (browsers are working fine). Knowing that the R3 certificate will expire soon I already forced an update of my certificates last week. Therefore I have an up to date full chain which obviously still contains an expired certificate.
My webserver uses a PFX file generated via OpenSSL from the Let's Encrypt files as follows:
~$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 18.04.6 LTS
Release: 18.04
Codename: bionic
~$ certbot --version
certbot 1.19.0
~$ openssl version
OpenSSL 1.1.1g 21 Apr 2020
To fetch the certificate:
certbot certonly --webroot -w /some/webroot/ -d genes.pics
To build the PFX:
openssl pkcs12 -export -out cert.pfx -inkey privkey.pem -in fullchain.pem
With this PFX, SSL Labs will show chain issues:
The "Quick Chain Check" tool (https://chainchecker.certifytheweb.com/) reports a valid chain as expected:
So my questions are:
- Why is there still an "Expired" certificate in the full chain returned by the CA?
- Why is there an "Extra Download" in the second chain?
- Is this an issue with OpenSSL not properly processing the full chain?
- Do I need to adjust / change the OpenSSL command in some manner?
Thanks in advance!