Let's Encrypt root certificate expiring in a few days!

socialattache · March 14, 2021, 4:03pm

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

socialattache.com

I ran this command:

https://www.sslshopper.com/ssl-checker.html#hostname=https://socialattache.com/

It produced this output:

The certificate is not trusted in all web browsers.

And I noticed that the "Let's Encrypt Authority X3" certificate expires in a few days!

My web server is (include version):

Apache 2.4.18

The operating system my web server runs on is (include version):

Ubuntu

My hosting provider, if applicable, is:

AWS

I can login to a root shell on my machine (yes or no, or I don't know):

Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

I'm using the API via the Acme PHP library to create/renew certificates: https://acme-v02.api.letsencrypt.org/directory

JuergenAuer · March 14, 2021, 4:20pm

Hi @socialattache

your configuration is buggy. Your server sends the old X3 certificate, not the correct and longer living R3 certificate.

Looks like you have hardcoded the intermediate certificate, that's always wrong.

socialattache · March 14, 2021, 4:46pm

Currently I have the following in my VHOSTS files:

SSLCertificateFile /var/www/netbizboom/Data/Certificates/socialattache.com/certificate.pub.pem
SSLCertificateKeyFile /var/www/netbizboom/Data/Certificates/socialattache.com/private-key.pem
SSLCertificateChainFile /var/www/netbizboom/Data/Certificates/intermediate.ca-bundle

And I notice the intermediate.ca-bundle file is from 2019 so I suspect this is the "intermediate certificate" that you say is incorrect? I replaced it with one I downloaded via https://letsencrypt.org/certs/lets-encrypt-r3-cross-signed.pem but I'm still getting the error in the test.

Am I going down the wrong path here? Your response doesn't provide resolution instructions.

JuergenAuer · March 14, 2021, 4:55pm

Your server sends the old X3, not the newer R3. Minimal a restart is required.

You have created that buggy configuration with a hardcoded intermediate certificate. Nobody knows what you have done. So it's your job to change that.

socialattache · March 14, 2021, 5:13pm

Restarting Apache on my servers seems to have resolved the issue, thanks!

On the one point - I'm sorry I don't understand what you mean by "hardcoded intermediate certificate". Is there some other way I should be providing this certificate other than having it configured via my VHOSTS file?

HardcoreGames · March 14, 2021, 5:19pm

my vhosts have no certificates, those are handled by apache separately and effectively

JuergenAuer · March 14, 2021, 7:40pm

Letsencrypt sends always the correct intermediate certificate.

So normally the update X3 -> R3 isn't a problem.

Looks like

your client is buggy, so your client uses / installs a hard-coded intermediate (or)
you have created the vHost definitions manual, then it's your error.

socialattache · March 14, 2021, 8:47pm

We're using the Let's Encrypt PHP library to obtain our certificates and I don't see a mention in there of the intermediate certificate being provided. Here's the docs I'm looking at:

https://acmephp.github.io/documentation/getting-started/2-obtain-certificate-easy.html

Osiris · March 14, 2021, 8:59pm

It provides "fullchain.pem" (which is a concatenation of the end leaf certificate plus the intermediate certificate) as described here: Acme PHP | Documentation

JuergenAuer · March 14, 2021, 9:10pm

In that documentation, I can't find this line.

There is only something like

SSLCertificateFile      /home/youruser/.acmephp/master/certs/yourdomain.org/public/fullchain.pem
SSLCertificateKeyFile   /home/youruser/.acmephp/master/certs/yourdomain.org/private/key.private.pem

So someone has created that vHost config in the wrong way.

socialattache · March 14, 2021, 9:15pm

I believe our configuration is based on this line from that page near the top under "Apache 2.2.32":

SSLCertificateChainFile /home/youruser/.acmephp/master/certs/yourdomain.org/public/fullchain.pem

What I'm trying to figure out now is how we receive the fullchain.pem via the REST API.

JuergenAuer · March 14, 2021, 9:18pm

Your server answers with a

Server: Apache/2.4.18 (Ubuntu)

So the wrong documentation is used.

socialattache · March 14, 2021, 9:21pm

You are correct, I assumed the most recent version was at the top.

Osiris · March 14, 2021, 9:28pm

Which REST API?

socialattache · March 14, 2021, 9:29pm

The Acme PHP library using https://acme-v02.api.letsencrypt.org/directory with he docs linked above.

system · April 13, 2021, 9:30pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.