Issues with fullchain using certbot and debian 9 since 30/9/21 - TOMCAT


I have an apache and tomcat using letsencrypt certificates using certbot and debian 9 that were working correctly until past 30/9/21 16.00, but since this date some querys, for example using curl we receive a message that certificate is expired, but making same query using a broswer appears all correct ISG ROOT X1 that expired on 30/9/2024, and I ahve tried that If i replace this full chain replacing (manually) this certificate by ISG root X1 with expiration date 4/6/2035 then it works

We are using debian 9 and tried to update packages to latest debian stable repositories:
ii ca-certificates 20200601~deb9u2 all
ii certbot 0.28.0-1~deb9u3 all automatically configure HTTPS using Let's Encrypt
ii python-certbot-apache 0.28.0-1~deb9u1 all transitional dummy package
ii python3-certbot 0.28.0-1~deb9u3 all main library for certbot
ii python3-certbot-apache 0.28.0-1~deb9u1 all Apache plugin for Certbot
ii openssl 1.1.0f-3+deb9u2 amd64

and then force renew, but full chian error persist, and 2024 CA is shwed and using curl query an expiration message appears, but I don't understand where is, because no expired certificate in this full chain

As workaround seems that if in /etc/ca-certificates.conf
I add ! on mozilla/DST_Root_CA_X3.crt to disable this certificate
and then update-ca-certificates
then curl works!

I'm a little confused and I like to know what is the best way to recover a clean fullchain automatically generated with this debian 9, any suggestion


Hi @nirt welcome to the LE community forum :slight_smile:

certbot should be providing the default fullchain.pem
Depending on the certbot version, it can also provide an alternate chain.
[so there are presently two valid LE trust chains to choose from]

If you haven't already, try search through this site for recent conversations on Debian.
[I though I recall seeing something related]

Yes, I have certbot 0.28 and I have searched i fo i this forums but I'm a little confused why with curl fails and with browser not... and woraround that I have found remove from ca certificates on debian, not sure if it is fully correct, or other option are the refommended, or upgrade to latest debian, certbot,...


El ds., 2 d’oct. 2021, 12:39, Rudy Gomez via Let's Encrypt Community Support <> va escriure:

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.