HTTPS certificate not valid after DST Root CA X3 expiration

Hello,

Since the expiration of the DST Root CA X3 (the 30th of September 2021), my HTTPS certificate is not valid from some device.

  • From some costumer device, the CA is from DST Root CA X3. (so not ok)

  • But from all my device, the CA is from IRSG Root X1. (so it's ok)

My domain Name is promis2.laophenixconsulting.com
What I check:

So why from some device, the root certificate is DST Root CA X3 and some others is IRSG Root X1?

How to solve that problem:

  • To clean the cache of my apache web server ?

  • To restart my server to update the chain certificate ?

  • To remove the DST Root CA X3 from the ssl certificate in /etc/ssl/conf ?

Thank for your attention

Your server is sending a completly invalid/weird certificate chain:

---
Certificate chain
 0 s:CN = promis2.laophenixconsulting.com
   i:C = US, O = Let's Encrypt, CN = R3
 1 s:CN = laophenixconsulting.com
   i:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
 2 s:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
   i:O = Digital Signature Trust Co., CN = DST Root CA X3
---

Neither certificate 1 nor 2 should be present there. 0 is your leaf, which is good. 1 is a very old leaf that has long expired and 2 is a retired intermediate.

It looks like you have misconfigured your server. You should be configuring your server to serve the fullchain file usually provided by your acme client.

4 Likes

I think it's because I didn't succeed the first time, so I asked for another certificate ... Can I remove it from my server just by deleting the 4 files (cert.pem, chain.pem, fullchain.pem & the privkey.pem) ?

My configuration server:

  SSLEngine on
  SSLCertificateFile "/opt/bitnami/apache2/conf/promis2.laophenixconsulting.com.crt"
  SSLCertificateKeyFile "/opt/bitnami/apache2/conf/promis2.laophenixconsulting.com.key"
  SSLCertificateChainFile "/etc/letsencrypt/live/laophenixconsulting.com/fullchain.pem"

My problem is that my SSLCertificateFile & SSLCertificateKeyFile are not from the same folder (maybe not the same certifcate request) that SSLCertificateChainFile ?

I'm confused of what to use, I have:

  • My cert.pem, chain.pem, fullchain.pem & the privkey.pem of my domain in /etc/letsencrypt/live/laophenixconsulting.com

  • Another crt, key and privatekey file of my subdomain in /opt/bitnami/apache2/conf/.

Should I use that to configure my web server ? It will cover all my subdomain ?

1 Like

The certificate found in /opt/bitnami/apache2/conf/ is only valid for the hostname promis2.laophenixconsulting.com. It is currently valid and not expired. Based on the directory, I would say that is bitnami's acme client?

The certificate found in /etc/letsencrypt/live/laophenixconsulting.com (which is a directory used by certbot) is a wildcard which is valid for *.laophenixconsulting.com, laophenixconsulting.com. This certificate has expired on July 22 2020, over one year ago.

What to do depends on what you want to achieve:

  • Which hostnames do you have, want or need certificates for?
  • Which acme client do you want to use to get the certificates?

Once you have decided that we can work on getting that configuration to work. Also:

This is not correct, you usually do not need the SSLCertificateChainFile directive at all (Apache is capable of loading leaf + chain from SSLCertificateFile). If it is used, it must not be used with any fullchain.

2 Likes

Yes It is.

I just need certificate for my subdomain (promis2.laophenixconsulting.com)
For my acme client I want to stay with the one located in /opt/bitnami/letsencrypt/accounts

So according to that I understand, I should have this configuration:

  SSLEngine on
  SSLCertificateFile "/opt/bitnami/apache2/conf/promis2.laophenixconsulting.com.crt"
  SSLCertificateKeyFile "/opt/bitnami/apache2/conf/promis2.laophenixconsulting.com.key"

That's why some devices keep using the DST Root CA X3 ?

1 Like

This seems very strange:

openssl s_client -connect promis2.laophenixconsulting.com:443 -servername promis2.laophenixconsulting.com
CONNECTED(00000005)
depth=0 CN = promis2.laophenixconsulting.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = promis2.laophenixconsulting.com
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
 0 s:CN = promis2.laophenixconsulting.com
   i:C = US, O = Let's Encrypt, CN = R3
 1 s:CN = laophenixconsulting.com
   i:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
 2 s:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
   i:O = Digital Signature Trust Co., CN = DST Root CA X3
---
2 Likes

2 Likes

It's sending a very old fullchain.pem as the certificate chain, next to a current cert.pem.. (speaking in certbot terms.)

3 Likes

I modify my apache configuration:

  SSLEngine on
  SSLCertificateFile "/opt/bitnami/apache2/conf/promis2.laophenixconsulting.com.crt"
  SSLCertificateKeyFile "/opt/bitnami/apache2/conf/promis2.laophenixconsulting.com.key"

Now I have that result:

openssl s_client -connect promlting.com
CONNECTED(00000003) depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1 verify error:num=20:unable to get local issuer certificate
---
Certificate chain
 0 s:/CN=promis2.laophenixconsulting.com
   i:/C=US/O=Let's Encrypt/CN=R3
 1 s:/C=US/O=Let's Encrypt/CN=R3
   i:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
 2 s:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3

Is it normal that I still have the certificate 1 and 2 ?

1 Like

Yes, this is the correct default chain currently in use. Cert 1 is always required and cert 2 is in place for compatibility reasons for older Android phones (Android versions before 7.1.1).

3 Likes

Even if the DST Root CA X3 is expired 3 days ago ?

1 Like

Yes, please see: Extending Android Device Compatibility for Let's Encrypt Certificates - Let's Encrypt

3 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.