Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
My domain is:www.araucogestion.cl
I ran this command:
It produced this output:
My web server is (include version): IIS 10
The operating system my web server runs on is (include version): Windows Server 2016 V 10.0.14393
My hosting provider, if applicable, is: hostwinds
I can login to a root shell on my machine (yes or no, or I don't know):yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel): plesk 18.0.38
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): don't know
A small number of people are writing to me saying that they are having issues entering the websites I am running. Mostly from mobile devices. Checking thru SSL Checker I am seeing a message saying "One of the root or intermediate certificates has expired (2 days ago)"
>openssl s_client -connect www.araucogestion.cl:443
CONNECTED(000001A0)
depth=1 C = US, O = Let's Encrypt, CN = R3
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = araucogestion.cl
verify return:1
---
Certificate chain
0 s:CN = araucogestion.cl
i:C = US, O = Let's Encrypt, CN = R3
1 s:C = US, O = Let's Encrypt, CN = R3
i:O = Digital Signature Trust Co., CN = DST Root CA X3
This means that your web server isn't serving the chain that your ACME client is getting.
Your "ACME client" is the software that's getting and installing the certificate from Let's Encrypt for you. If you don't know what that is, it's going to be a lot harder for you to fix it. How did you get a certificate? Is it just a button in that control panel? If so, it may need to be something handled by your hosting company (or whoever installed/configured that control panel) rather than something you can do yourself.
Plesk controls them both.
So let your Hosting Service Provider (HSP) [hostwinds] know about this problem.
And, yes, the one on the left should have not been used [since May 2021].
It might - but only from systems that still trust that expired cert or ones that ignore it and build their own trust or have short-circuited the validation checks by using previously seen and cached cert information.
But it definitely won't for all clients! Tell them to use a real tool - not a browser to check it with.
For IIS, if some of your sites are serving the correct chain and others are not you should reboot the server immediately. There are workarounds (rebinding in IIS etc) but just do the reboot, it will 100% fix all of these problems on that server.
If none of your sites where serving the correct chain the solution would have been to install ISRG Root X1, then reboot, but it sounds like you already have the ISRG Root X1 installed (see Manage Computer Certificates > Trusted Certification Authorities, it should be under there as ISRG Root X1issued byISRG Root X1)
