Invalid certificate chain, bug I can't figure out what's wrong

As far as I can tell, my certs are not expired. They worked before, but now browsers can’t connect.

$ sudo openssl x509 -enddate -noout -in /etc/letsencrypt/live/
notAfter=Aug 19 05:17:00 2017 GMT

Been googling for a half-hour without any real leads. Any suggestions? Thank you.

More info:

My domain is:

I ran this command: curl -v

It produced this output:

* Rebuilt URL to:
*   Trying
* Connected to ( port 443 (#0)
* SSL certificate problem: Invalid certificate chain
* Curl_http_done: called premature == 1
* Closing connection 0

curl: (60) SSL certificate problem: Invalid certificate chain
More details here:

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). If the default
 bundle file isn't adequate, you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.

My web server is (include version): nginx/1.10.0

The operating system my web server runs on is (include version): Ubuntu 16.04.2

My hosting provider, if applicable, is: Digital Ocean

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

It’s definitely expired:

# openssl s_client -connect
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN =
**verify error:num=10:certificate has expired**
**notAfter=Jun 20 04:39:00 2017 GMT**
verify return:1
depth=0 CN =
**notAfter=Jun 20 04:39:00 2017 GMT**
verify return:1
Certificate chain
 0 s:/
   i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
 1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3
    **Verify return code: 10 (certificate has expired)**
1 Like

The certificate being presented by that site is 03:bc:a3:e3:f7:54:0e:04:3b:8e:80:68:29:1a:22:52:ea:8c, does this match what you expect? I think you may need to restart/reload nginx - it’s probably still using the old cert sitting in memory.

# openssl x509 -in test.pem -noout -text
        Version: 3 (0x2)
        Serial Number:
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3
            Not Before: Mar 22 04:39:00 2017 GMT
            Not After : Jun 20 04:39:00 2017 GMT

Oh! Well, I’m an idiot, then. The auto renewal is happening, as the certs on disk are correct, but you’re right, Nginx wasn’t restarted. I gotta go find the docs on how to get it to reload the certs after renewal. Thank you.!

I can save you a little time: Either switch to using the Nginx authenticator (--nginx), which will automatically reload for you, or add --renew-hook "service nginx reload" to your Certbot command. I’ve definitely had the same mistake on some of my own servers, so you shouldn’t feel like an idiot. :slight_smile:

1 Like

Thanks. I don’t seem to have the nginx plugin installed, so I went the --renew-hook route. Hopefully that works in August!

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.