I have seen domains (such as https://zerossl.com) with Let’s Encrypt certificates that last for years. How can I get a certificate like that for a domain so I don’t have to renew every few months?
All Let’s Encrypt certificates expire after 90 days. They may offer shorter-lived certificates in the future, but probably not longer ones.
https://zerossl.com/'s current certificate is valid for 90 days, from December 4 to March 4.
Edit: Your best options are to automate renewal so it’s not a hassle anymore, or to use a different CA offering longer-lived certificates.
I think you misinterpreted what you saw; the certificate for zerossl.com, like other Let’s Encrypt certificates, has a 90-day validity period.
Issuer: C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3 Validity Not Before: Dec 4 18:27:00 2016 GMT Not After : Mar 4 18:27:00 2017 GMT Subject: CN=zerossl.com
Extension every 3 months
That is the correct expiry time of the intermediate certificate (the Let’s Encrypt Authority X3 certificate in the chain you’re viewing there).
Since it’s being displayed here as the expiry time of the leaf certificate for zerossl.com, I think you’ve found a Safari bug.
Do you have a way that you could export a copy of the certificate in PEM format (perhaps from within the Details tab there or something)? Maybe we can interest someone at Apple in looking into this.
Edit: also, what version of Safari and on what version of macOS?
Please instruct me on how to do this, and I can contact Apple myself as I am a developer/tester. I am using Safari 7 Beta on macOS 10.12.4 Beta, but this issue persists on all versions of Safari 6+ that I have tested. This issue only appears on “official” Let’s Encrypt sites, such as the Community, https://sslforfree.com, https://gethttpsforfree.com, etc.
EDIT: it appears to me as though Safari is being told to trust the intermediate certificate as the domain’s certificate. I can verify that this issue only exists in Safari. Opera, Chrome, and Firefox don’t display this issue.
That’s interesting and it sounds like a real Safari bug. Maybe you can send them the screenshots and links. For contrast, this is what I see in the equivalent dialog in Firefox 50.1.0
I’m confident the Firefox version is right because I’ve exported the certificates and looked at them with the
openssl tool. The data that you see displayed for the zerossl.com cert is in fact the correct data for Let’s Encrypt Authority X3, immediately above it in the chain.
Gotcha. Then, in that case, I will contact Apple Developer to have this issue fixed in the next public release.
None of them have any sort of special certificates. Nobody has any sort of special certificate, in fact.
It would be interesting to see if there’s something about those sites that nonetheless has a different configuration from others; @sulliops, if you have an example of an LE-certified site that doesn’t exhibit this behavior in Safari, we could try to look to see if there is something different somehow about the cert chain it sends (for example, maybe it has to do with the order of the certs in the chain, whether the site sends an unnecessary copy of the root certificate, whether the intermediate is omitted, or something else).
@mnordhoff’s observation is correct—the web client sites are not official and are not operated by LE.
Define LE-certified. Does this simply mean any website secured by a LE certificate, or a specific site made by Let’s Encrypt?
For the first option, try my website at https://sulliops.co. I recently renewed my certificate, so it should list April 24 as the expiration date. For the second one, I will try to find something, but no luck so far.
Yep, I meant a site secured by a Let’s Encrypt certificate.
Looking quickly at your site, I didn’t see anything materially different in how it sends certs vs. how zerossl.com sends them; would you be willing to make a screenshot of what your Safari shows for your own site’s cert’s expiration? (I also think you can go ahead and report this to Apple, if you haven’t already… I’m just curious whether we can also figure out anything more from our end.)
Okay. I am sending my report now.
The first image is the screenshot from my site, the second is the screenshot from ZeroSSL (which also applies to Community, and the other non affiliated sites).
It appears as though all sites are now showing me the intermediate certificate. At this point I’m confident it has to do with a Safari bug. This is odd because just a few hours ago, my site was showing an April 24, 2017 expiration date.
EDIT: I decided to test some websites that were secured by other CAs, and they too are showing this error. I am updating my report to Apple.
Just tested this on Safari Version 10.0.3 (OS X El Capitan 10.11.6) and seems to be working fine for what it’s worth (here).
I’m on macOS Sierra 10.12.3 (16D32) with Safari 10.0.3 (12602.4.8) and I see an expiry of March 2017 for ZeroSSL.com
I can now confirm that the issue is resolved on macOS Sierra 10.12.4 Developer Beta 2 (16E154a) running Safari 10.1 (12603.1.23.1), both of which were released on Feb. 7, 2017. This issue is resolved.
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.