Plz help me with this invalid certificate!

proof:

1 Like

Welcome to the community @I_need_to_fix_my_rng

We would be happy to help with this. I see you have a long and successful history getting Let's Encrypt certificates. Your last successful renewal was on Sept 17.

On Sept 30 one of the root certificates Let's Encrypt uses expired. At this time the cert chain used by the Let's Encrypt servers also changed and clients (like Certbot) needed to be able to verify the root ISRG Root X1.

Your server is probably missing this. If you tell us what you are using we can be more specific. Please provide:

Operating system name and version
Client used to get certs and its version

3 Likes

Welcome to the Let's Encrypt Community, @I_need_to_fix_my_rng
The certificate is Expired
Not After Thu, 16 Dec 2021 05:23:36 GMT

1 Like

oh, so what should i do about it?
(but why and how?)

1 Like

Are you the administrator of the server involved? If so, we'd need to know how you got certificates in the first place and what software is running on the server in order to help you.

If you're just a user unhappy that your favorite site isn't working, there's not much you can do beyond trying to contact the owner/administrator of the site and tell them to fix it.

4 Likes

not really (and this is actually not my favorite website) (and how do i contract the owner/administrator or which website?)

1 Like

If you're just a user of the www.randomnamepicker.net site, there's really nothing you can do to fix the error as it's a problem on the server side. You may be able to tell your browser to just continue anyway unsafely. That screenshot looks like Chrome; if you scroll down in the advanced section you may see a link to proceed anyway. But if you do so, be aware that the connection isn't actually secure anymore. If you do get onto the site, they may have an email address or "contact us" form you could use to tell the owners of the site that their site is broken.

4 Likes

Offtopic: Technically there's nothing wrong with an expired certificate: the TLS connection is secure anyway. Only thing is: I'm not sure if the certificate is being validated for the other important things if it has expired?

3 Likes

Well, even if the browser is checking other things, if one gets in the habit of just clicking through anyway it could be easy to miss that it's saying the name is wrong or whatever other problems there might be, so I didn't want to encourage anyone reading that "just clicking through is fine". Also, the longer something is expired the more likely it becomes that the domain isn't actually owned by the same party or that there's some other problem arising that a CA wouldn't issue a new certificate for.

Plus, once a certificate expires, I don't think there's any meaningful OCSP or other revocation info available, so in theory the key could be compromised (or the cert could have had some other problem) and CAs all know of the issue, but the browser still wouldn't, if I understand correctly. That is, if I managed to exploit a bug to trick a CA into issuing a cert for some domain I don't actually control, and then the CA quickly realizes the problem and revokes the cert, I wait for it to expire, and then I can intercept connections showing them the expired certificate, then the browser couldn't know the difference between that case and a "legitimate" certificate that had just expired.

In practice, as with all security decisions it's about what threats you're trying to protect against and what tradeoffs you're willing to accept. If it's a website where I'm just clicking through to find a list of random names I like (I don't know what this particular site actually does, I'm just guessing based on the URL) it may not be a problem if some well-resourced third-party could in theory intercept, monitor, or manipulate the connection. For other websites, like if I was providing bitcoin addresses or credit card numbers, that might not be an acceptable risk.

5 Likes

nvm it works again for a sudden reason

1 Like

Yes, they got a new cert as of

Sun, 19 Dec 2021 23:21:14 GMT

3 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.