HTTPS certificate not valid after DST Root CA X3 expiration

Help
1

Hello,

Since the expiration of the DST Root CA X3 (the 30th of September 2021), my HTTPS certificate is not valid from some device.

  • From some costumer device, the CA is from DST Root CA X3. (so not ok)

  • But from all my device, the CA is from IRSG Root X1. (so it's ok)

My domain Name is promis2.laophenixconsulting.com
What I check:

So why from some device, the root certificate is DST Root CA X3 and some others is IRSG Root X1?

How to solve that problem:

  • To clean the cache of my apache web server ?

  • To restart my server to update the chain certificate ?

  • To remove the DST Root CA X3 from the ssl certificate in /etc/ssl/conf ?

Thank for your attention

2

Your server is sending a completly invalid/weird certificate chain:

---
Certificate chain
 0 s:CN = promis2.laophenixconsulting.com
   i:C = US, O = Let's Encrypt, CN = R3
 1 s:CN = laophenixconsulting.com
   i:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
 2 s:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
   i:O = Digital Signature Trust Co., CN = DST Root CA X3
---

Neither certificate 1 nor 2 should be present there. 0 is your leaf, which is good. 1 is a very old leaf that has long expired and 2 is a retired intermediate.

It looks like you have misconfigured your server. You should be configuring your server to serve the fullchain file usually provided by your acme client.

4 Likes
3

I think it's because I didn't succeed the first time, so I asked for another certificate ... Can I remove it from my server just by deleting the 4 files (cert.pem, chain.pem, fullchain.pem & the privkey.pem) ?

My configuration server:

  SSLEngine on
  SSLCertificateFile "/opt/bitnami/apache2/conf/promis2.laophenixconsulting.com.crt"
  SSLCertificateKeyFile "/opt/bitnami/apache2/conf/promis2.laophenixconsulting.com.key"
  SSLCertificateChainFile "/etc/letsencrypt/live/laophenixconsulting.com/fullchain.pem"

My problem is that my SSLCertificateFile & SSLCertificateKeyFile are not from the same folder (maybe not the same certifcate request) that SSLCertificateChainFile ?

I'm confused of what to use, I have:

  • My cert.pem, chain.pem, fullchain.pem & the privkey.pem of my domain in /etc/letsencrypt/live/laophenixconsulting.com

  • Another crt, key and privatekey file of my subdomain in /opt/bitnami/apache2/conf/.

Should I use that to configure my web server ? It will cover all my subdomain ?

1 Like
4

The certificate found in /opt/bitnami/apache2/conf/ is only valid for the hostname promis2.laophenixconsulting.com. It is currently valid and not expired. Based on the directory, I would say that is bitnami's acme client?

The certificate found in /etc/letsencrypt/live/laophenixconsulting.com (which is a directory used by certbot) is a wildcard which is valid for *.laophenixconsulting.com, laophenixconsulting.com. This certificate has expired on July 22 2020, over one year ago.

What to do depends on what you want to achieve:

  • Which hostnames do you have, want or need certificates for?
  • Which acme client do you want to use to get the certificates?

Once you have decided that we can work on getting that configuration to work. Also:

This is not correct, you usually do not need the SSLCertificateChainFile directive at all (Apache is capable of loading leaf + chain from SSLCertificateFile). If it is used, it must not be used with any fullchain.

2 Likes
5

Yes It is.

I just need certificate for my subdomain (promis2.laophenixconsulting.com)
For my acme client I want to stay with the one located in /opt/bitnami/letsencrypt/accounts

So according to that I understand, I should have this configuration:

  SSLEngine on
  SSLCertificateFile "/opt/bitnami/apache2/conf/promis2.laophenixconsulting.com.crt"
  SSLCertificateKeyFile "/opt/bitnami/apache2/conf/promis2.laophenixconsulting.com.key"

That's why some devices keep using the DST Root CA X3 ?

1 Like
6

This seems very strange:

openssl s_client -connect promis2.laophenixconsulting.com:443 -servername promis2.laophenixconsulting.com
CONNECTED(00000005)
depth=0 CN = promis2.laophenixconsulting.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = promis2.laophenixconsulting.com
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
 0 s:CN = promis2.laophenixconsulting.com
   i:C = US, O = Let's Encrypt, CN = R3
 1 s:CN = laophenixconsulting.com
   i:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
 2 s:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
   i:O = Digital Signature Trust Co., CN = DST Root CA X3
---
2 Likes
7

image
image419×522 9.73 KB

2 Likes
8

It's sending a very old fullchain.pem as the certificate chain, next to a current cert.pem.. (speaking in certbot terms.)

3 Likes
9

I modify my apache configuration:

  SSLEngine on
  SSLCertificateFile "/opt/bitnami/apache2/conf/promis2.laophenixconsulting.com.crt"
  SSLCertificateKeyFile "/opt/bitnami/apache2/conf/promis2.laophenixconsulting.com.key"

Now I have that result:

openssl s_client -connect promlting.com
CONNECTED(00000003) depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1 verify error:num=20:unable to get local issuer certificate
---
Certificate chain
 0 s:/CN=promis2.laophenixconsulting.com
   i:/C=US/O=Let's Encrypt/CN=R3
 1 s:/C=US/O=Let's Encrypt/CN=R3
   i:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
 2 s:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3

Is it normal that I still have the certificate 1 and 2 ?

1 Like
10

Yes, this is the correct default chain currently in use. Cert 1 is always required and cert 2 is in place for compatibility reasons for older Android phones (Android versions before 7.1.1).

3 Likes
11

Even if the DST Root CA X3 is expired 3 days ago ?

1 Like
12

Yes, please see: https://letsencrypt.org/2020/12/21/extending-android-compatibility.html

3 Likes
13

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.