Hi, From October 1st 2021 on worlds Let's Encrypt SSL old certificates not working old operating systems. How to update it?

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

A post was split to a new topic: Rate limited: Error creating new order :: too many certificates (5) already issued for this exact set of domains

"How to update it?"
That depends on exactly what you mean by "it".

If you mean "the old cert", then there is no update to it - it expired and was replaced by a newer one.
It was known that older clients would not even know about this newer one, so it was cross-signed with an older one. But that older one has now also expired. Which should not affect the older clients but it has affected some of the newer clients.

If you mean "client systems", then that depends on the system.
Many systems have been "affected" (shown the err of their ways) recently and most can be patched/taught to trust the newer LE cert.

If you mean "server systems", then that depends on the system.
The most "complicated" was probably Windows/IIS which essentially ignores the provided chain and builds its' own any which way it can (not always as expected).

If you mean anything else, then please add some detail/clarity to your request.

@snvs, the compatibility of Let's Encrypt certificates was permanently reduced by the root certificate expiration:

If your question concerns one or more of the OSes in the "Platforms that trust DST Root CA X3 but not ISRG Root X1" section,

the answer is that this compatibility has been permanently lost, and you would need to switch to a different CA or individually update client machines in order to achieve interoperability.

If the problem is with newer systems, it would be helpful to have more details, as @rg305 mentioned, because there are many different quirks in how servers and server configurations have handled the change in certificate chains. For some of them, we've identified workarounds which are described in existing forum threads, and if you can give details, we should be able to point you to a relevant thread.

1 Like

Hi Sir,

certificate is "R3 ISRG Root X1" it is opened in firefox browser but not opened in chrome from October 1st 2021. In chrome broser showing error like "Your connection is not private
Attackers might be trying to steal your information from unitedscientificgroup.org (for example, passwords, messages, or credit cards). Learn more

Please check the chain being served:

openssl s_client -connect unitedscientificgroup.org:443 -servername unitedscientificgroup.org
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = unitedscientificgroup.org
verify return:1
Certificate chain
 0 s:CN = unitedscientificgroup.org
   i:C = US, O = Let's Encrypt, CN = R3
 1 s:CN = unitedscientificgroup.org
   i:C = US, O = Let's Encrypt, CN = R3
 2 s:C = US, O = Let's Encrypt, CN = R3
   i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
 3 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1
   i:O = Digital Signature Trust Co., CN = DST Root CA X3

Certs ZERO and ONE are duplicates?

Sir, I have less knowledge in ssl. So what is the solution and which command i will use (aws certbot). Please suggest me sir

Please review the vhost config files used in the web server.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.