OpenSSL/Browser still showing 'Certificate Exipred' after renwal by certbot

You can mark any of the posts as the Solution from the bottom menu in each post

What openssl version is it? It might just be an old one that reports it that way. Although, I checked with openssl 3.0.2 and a 1.0.2k and neither reports like that.

Was that the entire openssl output related to the cert and chain? (don't need to see the actual cert) Because usually each step of the chain is shown and that DST cert in the chain is not usually depth 1.

It might be related to how your openssl is handling the extra leaf cert which you should remove

Note there is an expired cert in the chain (DST Root CA X3) which is for compatibility for older Android devices. It is included in the default chain from Let's Encrypt. In fact, this website even uses that default chain. It's possible this could cause problems with certain clients and you could consider the "short chain" instead.

Certbot can return the short chain with the --preferred-chain "ISRG Root X1" option.

More info on these chains is here:

4 Likes