Hi everyone,
After the DST Root CA X3 Expiration in September 2021, my older iOS device is stuck on that expired certificate.
I found someone else having this exact problem, and being able to fix by "sending the full chain" from the server. But I'm not sure where do I get the intermediate certs for my issued letsencrypt cert? I checked the live folder where the certs are for my domain and read the README file, still no clue. Here @MikeMcQ says fullchain.pem is your leaf with the full intermediate chain, but my Nginx is already configured to send the fullchain.pem, and it doesn't work for the old iOS.
debian# openssl s_client -connect www.example.com:443 -servername www.example.com -trusted_first |head
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = www.example.com
verify return:1
CONNECTED(00000003)
---
Certificate chain
0 s:/CN=www.example.com
i:/C=US/O=Let's Encrypt/CN=R3
1 s:/C=US/O=Let's Encrypt/CN=R3
i:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
2 s:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
i:/O=Digital Signature Trust Co./CN=DST Root CA X3
---
read:errno=0
Looking further on this forum, I found links to the missing certs from @schoen in ISRG Root X1 not supported on ios 9.3.5:
Following the idea that worked for SSL Certificate Not Trusted - Intermediate Certificate, I have tried to append the above isrgrootx1.pem to the end of my fullchain.pem using a text editor. The nginx server reloaded fine and seemingly picked it up, but it didn't fix the issue on my older device.
However, one step has been added to the openssl output:
debian# openssl s_client -connect www.example.com:443 -servername www.example.com -trusted_first |head
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = www.example.com
verify return:1
CONNECTED(00000003)
---
Certificate chain
0 s:/CN=www.example.com
i:/C=US/O=Let's Encrypt/CN=R3
1 s:/C=US/O=Let's Encrypt/CN=R3
i:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
2 s:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
i:/O=Digital Signature Trust Co./CN=DST Root CA X3
3 s:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
read:errno=0
I thought what if I should have placed it after the first block but not at the end? Still nothing.
debian# openssl s_client -connect www.example.com:443 -servername www.example.com -trusted_first |head
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = www.example.com
verify return:1
CONNECTED(00000003)
---
Certificate chain
0 s:/CN=www.example.com
i:/C=US/O=Let's Encrypt/CN=R3
1 s:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
i:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
2 s:/C=US/O=Let's Encrypt/CN=R3
i:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
3 s:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
read:errno=0
Haven't yet tried manually adding the isrgrootx1.pem to my iPhone because I want it to work on the server first.
I'm pretty sure I'm missing something. Where do I get the intermediate chain? The certificatechain.io service suggested here is no longer working. Please help
