One of the root or intermediate certificates has expired

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. |, so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain

I ran this command:

It produced this output:

My web server is (include version): IIS 10

The operating system my web server runs on is (include version): Windows Server 2016 V 10.0.14393

My hosting provider, if applicable, is: hostwinds

I can login to a root shell on my machine (yes or no, or I don't know):yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): plesk 18.0.38

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): don't know

A small number of people are writing to me saying that they are having issues entering the websites I am running. Mostly from mobile devices. Checking thru SSL Checker I am seeing a message saying "One of the root or intermediate certificates has expired (2 days ago)"

You're serving a really old certificate chain.

>openssl s_client -connect

depth=1 C = US, O = Let's Encrypt, CN = R3
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN =
verify return:1
Certificate chain
 0 s:CN =
   i:C = US, O = Let's Encrypt, CN = R3
 1 s:C = US, O = Let's Encrypt, CN = R3
   i:O = Digital Signature Trust Co., CN = DST Root CA X3

This means that your web server isn't serving the chain that your ACME client is getting.

Your "ACME client" is the software that's getting and installing the certificate from Let's Encrypt for you. If you don't know what that is, it's going to be a lot harder for you to fix it. How did you get a certificate? Is it just a button in that control panel? If so, it may need to be something handled by your hosting company (or whoever installed/configured that control panel) rather than something you can do yourself.


I am using Plesk and I would have thought that it was beeing taking care but the automatic reissuing process.

On another domain just reissuing the certificate did the trick, I guess I'll have to see by hand one by one.

I contacted my hosting company to see what went wrong.

I found a strange one: and seem to have a different chain. How can't that be possible ?

1 Like

Plesk controls them both.
So let your Hosting Service Provider (HSP) [hostwinds] know about this problem.
And, yes, the one on the left should have not been used [since May 2021].


Thank you ! The hard part is making my hosting provider understand there is an issue, they keep saying "the website comes up fine".


It might - but only from systems that still trust that expired cert or ones that ignore it and build their own trust or have short-circuited the validation checks by using previously seen and cached cert information.
But it definitely won't for all clients!
Tell them to use a real tool - not a browser to check it with.


Is something I can suggest as a tool ?


You shouldn't have to give any tools to mechanics!
They get paid to have and use good tools.



For IIS, if some of your sites are serving the correct chain and others are not you should reboot the server immediately. There are workarounds (rebinding in IIS etc) but just do the reboot, it will 100% fix all of these problems on that server.

If none of your sites where serving the correct chain the solution would have been to install ISRG Root X1, then reboot, but it sounds like you already have the ISRG Root X1 installed (see Manage Computer Certificates > Trusted Certification Authorities, it should be under there as ISRG Root X1 issued by ISRG Root X1)


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.