Let's Encrypt R3 root cert expiration - how to fix on Ubuntu with certbot?

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: rentals.blizzardinternet.com

I ran this command: certbot certonly --manual --preferred-challenges=dns -d rentals.blizzardinternet.com

It produced this output: Provided a cert/key/bundle after passing the ACME DNS challenge.

My web server is (include version): Server version: Apache/2.4.18 (Ubuntu) | Server built: 2019-09-16T13:13:53

The operating system my web server runs on is (include version): Ubuntu 16.04.5 LTS (Xenial Xerus)

My hosting provider, if applicable, is: We have a dedicated hosting environment at Rackspace

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 0.31.0

Using certbot, I generated a certificate which is now erroring due to the expiration of the Let's Encrypt R3 cert. I was hoping this could be resolved using certbot but it doesn't appear it can. Our Ubuntu version is old but I believe it will still do the job for this issue. We are phasing out this entire infrastructure at Rackspace and will not be able to upgrade the OS. Is this a simple matter of my downloading the intermediate certificate and using it in place of the one certbot generated earlier? Our certs are managed on a brocade at Rackspace and we don't have access to the configuration. Thanks for any insight to my newbie questions.

You are serving your certificate with an outdated chain.
For Apache 2.4.8+ it's adviced to point SSLCertificateFile directive to fullchain.pem (instead of cert.pem) and not using obsolete SSLCertificateChainFile directive at all.


Hi @tish.lockard welcome to the LE community forum :slight_smile:

What version of OpenSSL does it use?

That may do the trick.
But it may not survive a cert renewal.
[you would have to apply that same manual trick each time - until this problem is completely behind us]

Are the cert (files) copied to the local system?

Thank you for the quick feedback here! We were able to resolve the issue by downloading the new Let's Encrypt R3 cert from their repository and replace the one in use. This resolved the broken chain error.


We hope that all Let's Encrypt users will eventually fully automate that process. After all, the R3 certificate itself has an expiration date

        Not After : Sep 15 16:00:00 2025 GMT

and could very well be replaced sooner than that (as prior Let's Encrypt intermediate certificates were sometimes replaced before they expired due to infrastructure considerations). The certificate authority always makes available a recommended chain along with every certificate issuance, so it should be possible to automate the process of using its recommended chain.

I partly hope people will choose to arrange for this automation so that we don't see a repetition of the current problems in 2025 (or before then!).


Thanks, Seth. We're fully automated in all other systems except this antiquated environment we are hoping to be rid of within the next couple of months. All hail automation! :slight_smile:


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.