Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
My domain is:
...any domain with LE issued certs
I ran this command:
Browsing via Chrome/Firefox/Opera on Win10 local machine
It produced this output:
When checking the TLS cert and issuer chain I noticed it was the old chain and did not include ISRG at all!. I then spotted the old R3 Intermediate cert is in the certificates store on my Win10 machine and also within Firefox, and this is also true for my colleagues, we are running a typical enterprise Win10 image with regular patching.
The old R3 points shows the issuer as 'DST Root CA X3' with NO mention of ISRG Root X1. This R3 cert expires 30th Sept 2021.
So my question is won't this break the transistion for many clients in the next couple of days as both old R3 and DST Root CA X3 expire. How widespread is this? We are running a typical enterprise Win10 image with regular patching.
I manually fixed by downloading the newer R3 https://letsencrypt.org/certs/lets-encrypt-r3.der and deleting the old from my local cert store, this then reflected the correct chain with ISRG being part a part of it.
My web server is (include version):
The operating system my web server runs on is (include version):
My hosting provider, if applicable, is:
I can login to a root shell on my machine (yes or no, or I don't know):
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
The version of my client is (e.g. output of
certbot --version or
certbot-auto --version if you're using Certbot):
We are using Cert-manager to issue LE certs on K8, however this is not relevant for this issue. The relevant issue is old R3 intermediate certs still hanging around in many clients it seems!