How do I disassociate my domain & server from Let's Encrypt?

My domain is:

It produced this output: "Your connection is not secure"

My web server is (include version): NextCloud v22.1.1

The operating system my web server runs on is (include version): Xubuntu 18.04

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

I used Let's Encrypt to provide a certificate for my NextCloud service. Having spent five long days now trying to overcome the expired certificate problem causing my domain to be reported as "not secure" without success, I want nothing more to do with this abomination of a certificate provider, Let's Encrypt, and instead switch to one that does not cause such grief. But now I do not seem to be able to do that either.

Other people with a NextCloud server seemed to be able to do that by removing the DST_Root_CA_X3 certificate, but having done so the domain still gives an expired certificate error.

How do I disassociate the domain from the Let's Encrypt expired certificate?

It seems that your certificate is actually expired and your current issues with "your connection is not secure" are related to an expired certificate. Your last certificate expired 01 October 2021. If you try issuing a new certificate with Let's Encrypt you will be closer to remediating this error and then can review if you are having problems with the intermediate and root expirations that are solved for some by remvoing the DST Root CA X3.


You can also switch to the alternate trust path if you have any trouble with the default path.
How, depends on the client used.
Which ACME client are you using?

It is currently serving the older trust path (through "DST Root CA X3"):

openssl s_client -connect -servername
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN =
verify error:num=10:certificate has expired
notAfter=Oct  1 11:01:21 2021 GMT
verify return:1
depth=0 CN =
notAfter=Oct  1 11:01:21 2021 GMT
verify return:1
Certificate chain
 0 s:CN =
   i:C = US, O = Let's Encrypt, CN = R3
 1 s:C = US, O = Let's Encrypt, CN = R3
   i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
 2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1
   i:O = Digital Signature Trust Co., CN = DST Root CA X3

To directly answer your question, you're free to get a cert from any other CA you wish, and install it on your system. To the extent your domain is "associated" with Let's Encrypt, this should end any such association.

As to how best to do that? That would be a question better directed, well, pretty much anywhere but here.


In trying to issue a new Let's Encrypt certificate, that is failing despite me following the same steps I used when I set up the NextCloud site some few months ago. The http-01 challenge is failing with a timeout error and the firewall and router is set up just as it was at that time. And now it is failing for having too many authentication failures.

As for changing the trust path, I have no idea how to do that with the NextCloud snap installation I am have used.

As for going elsewhere for advice, I have tried elsewhere too.

I think my best bet is give up with this self-hosted NextCloud server; it's just got too difficult to understand the intricacies of how all the different components hang together. When something like this certificate expiry can break everything and I can't solve it in 5 days, it is clearly beyond me. A shame, since I have had it working for months.

The key is finding exactly where the problem is.
When needing to drive, you must first find the car keys; So don't spend all day looking for them in the bedroom when they are in the kitchen, or you aren't driving that car anytime soon.

So you may need to sharpen your troubleshooting skills.
Start with an ordered list of things that could have gone wrong and are breaking this.
[you may need to fully understand how things tie into one another - or ask for help with pieces you don't]
Rule out only those things that can be ruled out.
Leave no stone unturned.
Test/verify everything you can (as independently as possible).
Once you've found where the problem is, the rest is... easy.


Our community is typically very helpful. I'm not sure what is causing that problem but you can open a new help thread and fill in the questions to start the processes of getting help. If I were to guess from the information you provided, there is some unexpected change in the firewall or router that is preventing issuance. This is based on the fact that your certificate didn't automatically renew, you are self hosting with the http-01 challenge, and are failing authorizations.

If you are still looking to switch from Let's Encrypt, there are other free certificate authorities that can be used. You will have to look at your client and the certificate authoritie's documentation to get that working.


I think in your situation, it would be best to purchase a certificate from a commercial provider and work with their support.

LetsEncrypt is a free service provided by a non-profit group and a very small staff - nevertheless they successfully provide the security layer to a large percentage of internet traffic. The majority of people who provide help on these forums are industry professionals, volunteering what little free time we have.

I don't know what you expected to accomplish by popping into these forums and starting your dialog by insulting a non-profit group and volunteers. I don't care to know either.

I am sure a paid commercial service would be happy to help you migrate from LetsEncrypt to their products, and I think that would be the most effective way to accomplish your goals.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.