@mmncs
If you have certbot lower than 1.12, that entry won't do anything.
You can manually edit the fullchain.pem (or chain.pem) file used and remove the last cert from it.
[for a "quick fix" / temporary workaround - that won't survive renewal; as all cert files will be replaced then]
4 Likes
I have access to the fullchain.pem but I really don't know how I should edit it...
and thank you for your time!
3 Likes
Sorry didn't read, so I just delete the last key I guess...
2 Likes
I'd use: vi, but you can use any text editor.
Like: nano
Look for "-----BEGIN *-----" and "-----END *-----" lines.
They surround the certs.
Simply delete the last cert (and the lines surrounding it).
Save the file.
Restart the web service.
Yes, it has one two many certs.
4 Likes
Invalid certificate
Now it says that this certificate was signed by an untrusted issuer, but the chain has changed to:
ISRG Root X1
-- R3
-- mydomain.com
2 Likes
@mmncs
If you check the site with SSL Labs, and it shows OK there, then this new problem is within your client.
Which implies it doesn't have the latest ca-certificates (or Windows Update or Mac update or etc.)
3 Likes
I have tried acces on Opera and Chrome and I can see that it has removed
DST Root CA X3
But it still doesn't work on either. This is on my older mac.
Here is the overall rating:
https://www.ssllabs.com/ssltest/analyze.html?d=www.beautonart.com
Overall rating: B
Protocols
TLS 1.3 No
TLS 1.2 Yes
TLS 1.1 Yes
TLS 1.0 Yes
SSL 3 No
SSL 2 No
1 Like
If it is below 10.12. you might have issues.
2 Likes
It is 10.9.5
Is there any way to get it working then?
1 Like
Try this "fix":
2 Likes
Is that something I have to install on the mac?
Since I have had others who have contacted me who gets the same error and I can see that my traffic have decreased about 20% which very well could be because of this warning and I have no way to ask people who visit the site to install anything.
I have followed this issue and saw the video where they said there would be no issues with browsers and it seems that more people than you would think are using very old laptops.
2 Likes
If this is affecting systems outside your control...
Then I can only think of one immediate solution:
- You need to switch to another entirely different chain.
Like from another (free) CA that is ACME protocol friendly.
4 Likes
So Lets encrypt doesnt work on older laptops?
1 Like
It's not Let's Encrypt that fails to work.
It's the lack of updated trust stores (and relevant TLS libraries).
Older... yes
Really old... probably not.
[eventually such older systems will have problems with all CAs - LE was just the first to expire]
Think...
I can no longer here your radio station - on my A.M. radio.
3 Likes
So this is not a decision from letsencrypt?
The big problem is that people who visit the site will think it is a virus filled site...
Stealing their credit card information as it states in chrome. If it just said they have to update their system then it would be another story
2 Likes
The only decision LE made was which (of the two remaining paths) would it serve as the default.
[a root cert expiry is not something any choice can avoid]
And of the two trust paths, some systems (like your MacOS 10.9.5) won't like either.
3 Likes
Then they will get the same message from any of the other 200 million sites that use LE certs.
They will likely start to see the pattern and realize it is their systems that needs the "fix" or upgrade.
3 Likes
LE has zero control over messages shown by Chrome.
3 Likes
I'm not sure what you mean by the two remaining paths and it would still have been nice with a bit of warning instead of saying that there would be no issues at all with browsers.
Could they have waited?
2 Likes
Well thank you for you help.
2 Likes