Hi,
I have an apache and tomcat using letsencrypt certificates using certbot and debian 9 that were working correctly until past 30/9/21 16.00, but since this date some querys, for example using curl we receive a message that certificate is expired, but making same query using a broswer appears all correct ISG ROOT X1 that expired on 30/9/2024, and I ahve tried that If i replace this full chain replacing (manually) this certificate by ISG root X1 with expiration date 4/6/2035 then it works
We are using debian 9 and tried to update packages to latest debian stable repositories:
ii ca-certificates 20200601~deb9u2 all
ii certbot 0.28.0-1~deb9u3 all automatically configure HTTPS using Let's Encrypt
ii python-certbot-apache 0.28.0-1~deb9u1 all transitional dummy package
ii python3-certbot 0.28.0-1~deb9u3 all main library for certbot
ii python3-certbot-apache 0.28.0-1~deb9u1 all Apache plugin for Certbot
ii openssl 1.1.0f-3+deb9u2 amd64
and then force renew, but full chian error persist, and 2024 CA is shwed and using curl query an expiration message appears, but I don't understand where is, because no expired certificate in this full chain
As workaround seems that if in /etc/ca-certificates.conf
I add ! on mozilla/DST_Root_CA_X3.crt to disable this certificate
and then update-ca-certificates
then curl works!
I'm a little confused and I like to know what is the best way to recover a clean fullchain automatically generated with this debian 9, any suggestion
Thanks
