Invalid certificate chain

WW-Andreas · February 14, 2022, 1:34pm

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: for example: www.donautec.com

I ran this command: certbot certonly --preferred-challenges=http -d www.donautec.com

It produced this output:

My web server is (include version): Apache/2.4.52 (Ubuntu)

The operating system my web server runs on is (include version): Ubuntu 18.04.6 LTS

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 0.27.0

-->
Certificate is ok,
but the chain-certificates are not:
Cert (OK) -> R3 (OK) --> ISRG Root X1 (OK) --> DST Root CA X3 (INVALID)

$ openssl x509 -noout -text -in chain.pem (-> splitting to chain1.pem + chain2.pem)

$ openssl x509 -noout -text -in chain1.pem
Certificate:
Data:
Issuer: C = US, O = Internet Security Research Group, CN = ISRG Root X1
Validity
Not Before: Sep 4 00:00:00 2020 GMT
Not After : Sep 15 16:00:00 2025 GMT
Subject: C = US, O = Let's Encrypt, CN = R3

$ openssl x509 -noout -text -in chain2.pem
Certificate:
Data:
Issuer: O = Digital Signature Trust Co., CN = DST Root CA X3
Validity
Not Before: Jan 20 19:14:03 2021 GMT
Not After : Sep 30 18:14:03 2024 GMT
Subject: C = US, O = Internet Security Research Group, CN = ISRG Root X1

$ certmgr.msc Root-certificates
CN = DST Root CA X3
‎valid until "‎30. ‎September ‎2021 15:01:15"
--> INVALID

==> Why don't you generate the new chain.pem ?
$ openssl x509 -noout -text -in chainNEW.crt
......
Certificate:
Data:
Issuer: C = US, O = Internet Security Research Group, CN = ISRG Root X1
Validity
Not Before: Jun 4 11:04:38 2015 GMT
Not After : Jun 4 11:04:38 2035 GMT
Subject: C = US, O = Internet Security Research Group, CN = ISRG Root X1

MikeMcQ · February 14, 2022, 2:51pm

Since the expiry of the DST Root CA X3 Let's Encrypt now offers two chains. One we call the 'long chain' which is what you describe. This long chain is the default and used by many websites including this forum site. There is also a 'short chain' that excludes the expired DST cert.

You can choose which one using certbot by adding --preferred-chain "ISRG Root X1" to the command. BUT, you must use certbot v1.12 or later for this to work so you would need to upgrade.

Most sites do not need to use the short chain. Please read this topic for a better understanding

system · March 16, 2022, 2:52pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Net::err_cert_date_invalid Help	2	469	June 15, 2020
Certificate Invalid Help	7	558	May 7, 2019
SSL certificate is invalid on some computers Help	15	2030	February 6, 2021
The certificate chain in the configuration details of the certificate is invalid Help	58	7063	May 12, 2023
My certificate invalid and issued by not Let's Encrypt Authority X3 Help	20	4811	April 1, 2020

Invalid certificate chain

Related topics