Full chain still contains expired R3 certificate in PFX

Due to the expired R3 certificate some client applications accessing my server (namely nextcloud Client on Windows, Android and iOS, DAVx⁵ on Android) yield certificate warnings (browsers are working fine). Knowing that the R3 certificate will expire soon I already forced an update of my certificates last week. Therefore I have an up to date full chain which obviously still contains an expired certificate.

My webserver uses a PFX file generated via OpenSSL from the Let's Encrypt files as follows:

~$  lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 18.04.6 LTS
Release:        18.04
Codename:       bionic

~$ certbot --version
certbot 1.19.0

~$ openssl version
OpenSSL 1.1.1g  21 Apr 2020

To fetch the certificate:

certbot certonly --webroot -w /some/webroot/ -d genes.pics

To build the PFX:

openssl pkcs12 -export -out cert.pfx -inkey privkey.pem -in fullchain.pem

With this PFX, SSL Labs will show chain issues:

https://www.ssllabs.com/ssltest/analyze.html?d=genes.pics&s=2003%3Af6%3A6708%3Ae800%3Af64d%3A30ff%3Afe67%3Aeed2&latest

The "Quick Chain Check" tool (https://chainchecker.certifytheweb.com/) reports a valid chain as expected:

So my questions are:

  • Why is there still an "Expired" certificate in the full chain returned by the CA?
  • Why is there an "Extra Download" in the second chain?
  • Is this an issue with OpenSSL not properly processing the full chain?
  • Do I need to adjust / change the OpenSSL command in some manner?

Thanks in advance!

Found the issue: The PFX certificate was used in a server written with .NET 5.0. Compiling the server with the latest version of dotnet fixed the issue.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.