On what platform your website is running?
2 Likes
easyWP by namecheap
1 Like
OK. I am not familiar with that platform, however likely you do not have option to manage the signing certificate. How complex was to set up the Let's Encrypt certificate? How many options were available to control it?
2 Likes
It wasn't complex. I uploaded it using a platform called 'zerossl'
1 Like
Have you used https://zerossl.com/ to create your certificate (I do not know that platform either)?
2 Likes
Is it possible for me to just re install a new certificate or something. Delete the old one and just start over
1 Like
You may just repeat the same issue, if you redo it. Is that the site you used (https://zerossl.com) to create the certificate? I do not know what options are available at the end to download the certificate. Have you downloaded just the certificate, or the full certificate chain?
2 Likes
My post on this tread 556 worked for me on Several Mac's running 10.9.5.
1 Like
Yes i downloaded everything using that site. The private key, certificate and something else
But...Isn't there a way to install the certificate directly from lets encrypt? I can pay a web developer to install it for me if it's too complex.
1 Like
There are multiple ways to create the certificate, and that one is feasible. How many files have you downloaded from zerossl.com at the end of the process?
Sorry, I overlooked what you wrote, you already answered my question. The important part seemingly what broken is:
That must be the signing certificate chain. And that is what is broken.
3 Likes
Okay thank you for your patience.
So what's the way forward? To create new certificates? You mentioned that there are many ways to do that. Is there an article or something on how i can do that?
2 Likes
Please do not jump that much (yet). We just try to fix it easily.
So on the management interface of "easyWP by namecheap" what was requested to upload? I believe (since I do not know the platform) the key for sure, then the certificate, and thirdly the signing certificate chain. Was that the way?
3 Likes
This image shows the place where i uploaded the certs
This page shows that the certificate is supposed to be working fine(even though its not)
1 Like
Just for the precision, the term "CA boundle" is that I was referring before as "signing certificate chain".
I see that you already used Let's Encrypt certificate in the past, around a year ago. May be you uploaded the old "CA boundle", not the recent one you got from "ZeroSSL".
If you do not have the appropriate "CA boundle" any more, please upload that one to easyWP:
chain.pem (3.7 KB)
3 Likes
I have downloaded it. Thank you.
But the prob is, I can't just change the ca bundle. I have to reinstall everything.
I don't have the other ones
1 Like
When you log in, sometimes you still have under your ZeroSSL account all the data (key, cert, bundle) available to download it again. Please do that, and do not forget about the "CA bundle". After that you upload them together to easyWP.
If the certificate with its private key is not in your ZeroSSL account any more, and you do not have any copy, only then you have to create a new certificate.
3 Likes
Hello. I've tried to access it but I can't
1 Like
So, it is time now to create a new certificate.
3 Likes
2 questions:
-
Is there a way to request the chain/fullchain files sent back from LE includes the self-signed ISRG X1 root vs. the one still cross-signed with the now-expired DST CA X3 root?
-
Is there a time-frame when the chain files will no longer include the cross-signed root?
I ask as I spent a good bit of time today troubleshooting why I could not update a VMware vCenter Server appliance and that turned out to be the reason. I had to manually remove the cross-signed ISRG X1 root out of the chain file & replace it with the self-signed version or else vCenter would fail to import and also wedge itself into a non-functional state in the process.
1 Like
The chain(s) provided by LE generally do not contain root certificates (they're already included in the clients trust store and should never be sent by TLS servers). The current default chain does not include DST Root CA X3 itself (though it contains a certificate with this issuer).
But yes, you can request a chain from LE that does not include the final cross-sign up to DST Root CA X3. This is called the alternate chain. This chain must be explicitly requested by your ACME client - how to do this depends on your client, often it's a command line argument called preferred-chain (or similar).
There is no explicit time-frame, but you can expect this chain to stay for some years, possibly until late 2024. The chain leading to the expired root is supposed to help with compatibility for some clients (mainly Android), so it's going to stay with us for a while. We're aware that some clients don't like the current default chain, which is why the alternate chain is available
The current and alternate chain served, as well as any upcoming planned changes can be found here:
6 Likes