Https works but certs in /live fail?

I received an email that my cert was expiring so i did a certbot update and it said i'm good until january. When the cert expired, the website continued to work with https, but websockets to a mosquitto broker on the same machine now throws failure errors. Trying to track down what was going on (mosquitto links to the certificates in the /live folder of letsencrypt), I manually checked the live certificate and they showed as expired.

Digging in the transparency report i can see that i've requested numerous licenses. (oops). In my journey to where i am, i did create several virtual machines on linode and tried numerous different configurations. I honestly don't remember exactly how i got to this nginx/mosquitto version that worked great for a couple months then died as I was clearly updating the wrong certificates. If anybody can help me figure out where my actual (working) certs are and/or if there's a way to re-point them to /live or link wherever they are to the mosquitto conf... or at this point i'd be happy to be mocked for ignorance if it might help me not have to start over with a fresh server.

My domain is:
I ran this command (in the live/ directory)
openssl verify -CAfile chain.pem cert.pem

It produced this output:
O = Digital Signature Trust Co., CN = DST Root CA X3

error 10 at 3 depth lookup: certificate has expired

error cert.pem: verification failed
My web server is (include version):
nginx (not sure of version. whatever came with debian 10)
The operating system my web server runs on is (include version):
debian 10
My hosting provider, if applicable, is:
I can login to a root shell on my machine (yes or no, or I don't know):
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

1 Like

You can trust the output of certbot certificates. If it says the certificate is good for .. days, your cert is good. The OpenSSL verify command is choking on the expired DST Root CA X3 root certificate in the chain (which is present for older Android compatibility: Extending Android Device Compatibility for Let's Encrypt Certificates - Let's Encrypt).

It's possible your mosquitto broker is also choking on this compatibility chain. I think there are two options: either fix your mosquitto broker so it'll accept the current chain or change the default certificate chain to the alternative chain without Android compatibility.


Would the android glitch result in the error that the certificate has expired?

As further information, in my panic today, I discovered that hosted on my website the html would choke on the mqtt. However, when I packaged the same source as an android apk, it worked fine. Not sure what that means, though.

1 Like

Which "glitch" exactly?

I also have no idea what you mean by this, sorry.


android ignores expiration date on root certificate.


An aside...
Your IPv4 and IPv6 don't seem to be handling HTTP in the same manner:

curl -Ii4

HTTP/1.1 301 Moved Permanently
Server: nginx/1.14.2
Date: Sat, 20 Nov 2021 14:26:43 GMT
Content-Type: text/html
Content-Length: 185
Connection: keep-alive

curl -Ii6

HTTP/1.1 403 Forbidden
Connection: close
Content-Type: text/html
Cache-Control: no-cache
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Content-Security-Policy: frame-ancestors 'self'
Content-Length: 3449

[Note: HTTPS, however, does seem to be equal]


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.