Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
My domain is:
I ran this command:
It produced this output:
My web server is (include version):
The operating system my web server runs on is (include version):
My hosting provider, if applicable, is:
I can login to a root shell on my machine (yes or no, or I don't know):
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
"How to update it?"
That depends on exactly what you mean by "it".
If you mean "the old cert", then there is no update to it - it expired and was replaced by a newer one.
It was known that older clients would not even know about this newer one, so it was cross-signed with an older one. But that older one has now also expired. Which should not affect the older clients but it has affected some of the newer clients.
If you mean "client systems", then that depends on the system.
Many systems have been "affected" (shown the err of their ways) recently and most can be patched/taught to trust the newer LE cert.
If you mean "server systems", then that depends on the system.
The most "complicated" was probably Windows/IIS which essentially ignores the provided chain and builds its' own any which way it can (not always as expected).
If you mean anything else, then please add some detail/clarity to your request.
@snvs, the compatibility of Let's Encrypt certificates was permanently reduced by the root certificate expiration:
If your question concerns one or more of the OSes in the "Platforms that trust DST Root CA X3 but not ISRG Root X1" section,
the answer is that this compatibility has been permanently lost, and you would need to switch to a different CA or individually update client machines in order to achieve interoperability.
If the problem is with newer systems, it would be helpful to have more details, as @rg305 mentioned, because there are many different quirks in how servers and server configurations have handled the change in certificate chains. For some of them, we've identified workarounds which are described in existing forum threads, and if you can give details, we should be able to point you to a relevant thread.
certificate is "R3 ISRG Root X1" it is opened in firefox browser but not opened in chrome from October 1st 2021. In chrome broser showing error like "Your connection is not private
Attackers might be trying to steal your information from unitedscientificgroup.org (for example, passwords, messages, or credit cards). Learn more
NET::ERR_CERT_DATE_INVALID"
