Let's Encrypt root certificate expiring in a few days!

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:


I ran this command:


It produced this output:

The certificate is not trusted in all web browsers.

And I noticed that the "Let's Encrypt Authority X3" certificate expires in a few days!

My web server is (include version):

Apache 2.4.18

The operating system my web server runs on is (include version):


My hosting provider, if applicable, is:


I can login to a root shell on my machine (yes or no, or I don't know):


I'm using a control panel to manage my site (no, or provide the name and version of the control panel):


The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

I'm using the API via the Acme PHP library to create/renew certificates: https://acme-v02.api.letsencrypt.org/directory

1 Like

Hi @socialattache

your configuration is buggy. Your server sends the old X3 certificate, not the correct and longer living R3 certificate.

Looks like you have hardcoded the intermediate certificate, that's always wrong.

1 Like

Currently I have the following in my VHOSTS files:

SSLCertificateFile /var/www/netbizboom/Data/Certificates/socialattache.com/certificate.pub.pem
SSLCertificateKeyFile /var/www/netbizboom/Data/Certificates/socialattache.com/private-key.pem
SSLCertificateChainFile /var/www/netbizboom/Data/Certificates/intermediate.ca-bundle

And I notice the intermediate.ca-bundle file is from 2019 so I suspect this is the "intermediate certificate" that you say is incorrect? I replaced it with one I downloaded via https://letsencrypt.org/certs/lets-encrypt-r3-cross-signed.pem but I'm still getting the error in the test.

Am I going down the wrong path here? Your response doesn't provide resolution instructions. :slight_smile:

1 Like

Your server sends the old X3, not the newer R3. Minimal a restart is required.

You have created that buggy configuration with a hardcoded intermediate certificate. Nobody knows what you have done. So it's your job to change that.

Restarting Apache on my servers seems to have resolved the issue, thanks!

On the one point - I'm sorry I don't understand what you mean by "hardcoded intermediate certificate". Is there some other way I should be providing this certificate other than having it configured via my VHOSTS file?


my vhosts have no certificates, those are handled by apache separately and effectively

Letsencrypt sends always the correct intermediate certificate.

So normally the update X3 -> R3 isn't a problem.

Looks like

  • your client is buggy, so your client uses / installs a hard-coded intermediate (or)
  • you have created the vHost definitions manual, then it's your error.
1 Like

We're using the Let's Encrypt PHP library to obtain our certificates and I don't see a mention in there of the intermediate certificate being provided. Here's the docs I'm looking at:


1 Like

It provides "fullchain.pem" (which is a concatenation of the end leaf certificate plus the intermediate certificate) as described here: Acme PHP | Documentation


In that documentation, I can't find this line.

There is only something like

SSLCertificateFile      /home/youruser/.acmephp/master/certs/yourdomain.org/public/fullchain.pem
SSLCertificateKeyFile   /home/youruser/.acmephp/master/certs/yourdomain.org/private/key.private.pem

So someone has created that vHost config in the wrong way.

1 Like

I believe our configuration is based on this line from that page near the top under "Apache 2.2.32":

SSLCertificateChainFile /home/youruser/.acmephp/master/certs/yourdomain.org/public/fullchain.pem

What I'm trying to figure out now is how we receive the fullchain.pem via the REST API.

1 Like

Your server answers with a

Server: Apache/2.4.18 (Ubuntu)

So the wrong documentation is used.

1 Like

You are correct, I assumed the most recent version was at the top. :slight_smile:

1 Like

Which REST API? :confused:

The Acme PHP library using https://acme-v02.api.letsencrypt.org/directory with he docs linked above.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.