Problem with certificate has expired

Hi,

I have some problem with my ssl certificate that started today. My certificate were not due for renewal but for some reason when a service like axios try to do a post on my server, i get a 'CERT_HAS_EXPIRED' error. I did force renew my certificate to be sure but i still have the same problem. If i acces to my domain with a browser like chrome I can see that my certificate is valid.

My domain is: admin.netsign.tv

I ran this command to force renew my certificate: sudo certbot renew --apache --cert-name admin.netsign.tv --force-renewal

It produced this output:

My web server is (include version): apache2 server

The operating system my web server runs on is (include version): ubuntu 20

Thanks for your help

2 Likes

Hi @epoirier,

Here's the certificate chain you're serving which needs to change.

$ openssl s_client -connect admin.netsign.tv:443 -servername admin.netsign.tv
CONNECTED(00000003)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = admin.netsign.tv
verify return:1
---
Certificate chain
 0 s:CN = admin.netsign.tv
   i:C = US, O = Let's Encrypt, CN = R3
 1 s:C = US, O = Let's Encrypt, CN = R3
   i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
 2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1
   i:O = Digital Signature Trust Co., CN = DST Root CA X3
---

If you update that to

---
Certificate chain
 0 s:/CN=<your domain here>
   i:/C=US/O=Let's Encrypt/CN=R3
 1 s:/C=US/O=Let's Encrypt/CN=R3
   i:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
---

(i.e. just remove the cross-signed ISRG Root X1 from the chain), I suspect that your client(s) will begin to trust your server again.

You can make that change manually by editing the chain file used by your webserver. You can make the change permanently by editing the configuration of your ACME client to request the alternate chain.

sudo ./certbot certonly --apache -d ${DOMAIN} --dry-run --preferred-chain="ISRG Root X1"
4 Likes

Thank you for your help,

I'm trying to changing my configuration but I get the following error :
certbot: error: unrecognized arguments: --preferred-chain ISRG Root X1

I'm on ubuntu 18 and I do not seem to be able to upgrade further than certbot 0.31.0

Simply edit the fullchain.pem file and remove the last certificate.

6 Likes

Thank you for your help, after removing the last certificate from my fullchain, my problems were solved. I just hope that when the certificate is renewed it will not add the faulty certificate to my fullchain again.

3 Likes

Oh, but it will - Happy Holloween! - LOL
[I'm sure there is much more to be said, and done, about this topic in the (<90) days to come]

2 Likes

It most likely will. However, hopefully by then clients will stop trying to validate the chain up to the expired DST Root CA X3. Maybe due to the fact that root has been removed or the client has been updated to validate chains differently.

2 Likes

Thank you very much for your advice!
I want to add that I needed to additionally remove the last certificate from the file chain.pem

1 Like

I agree with Osiris that this will most likely be a problem again when your certificate is renewed.

The easiest way for you to fix the problem (especially since you're on Ubuntu) is to install Certbot for Apache using snap.

3 Likes

This simple hint was the only thing that worked for me, thanks @rg305

3 Likes

Hi @vsi welcome to the LE community :slight_smile:
I'm glad to have made it simple for you.

2 Likes

When I run the command 'openssl s_client -connect example.com:443 -servername example.com' I see what needs to be changed, but I can't edit on screen... the pem file /etc/letsencrypt/live/example.com/ fullchain.pem does not have the same content to delete and save with VIM or NANO... Which Ubuntu walkthrough to edit?

Hi @edson-junior-br welcome to the LE community forum :slight_smile:

What does it have?
What would you like it to have?

is there any command that allows me to edit the fullchain pem by openssl? because in the file does not appear the same content to edit with linux text editor like VIM or NANO

OpenSSL doesn't make the fullchain.pem file - certbot does.
OpenSSL is only used to test things (in this scenario).

I've Issue the same. but after remove the last certificate. on client check openssl s_client -connect media.lumi.com.vn:443 -servername media.lumi.com.vn.

i seen "Verify return code: 20 (unable to get local issuer certificate)"

i don't know what happened

Did you restart the web service?
The last cert is still being served:

 2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1
   i:O = Digital Signature Trust Co., CN = DST Root CA X3
-----BEGIN CERTIFICATE-----
MIIFYDCCBEigAwIBAgIQQAF3ITfU6UK47naqPGQKtzANBgkqhkiG9w0BAQsFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTIxMDEyMDE5MTQwM1oXDTI0MDkzMDE4MTQwM1ow
TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwggIiMA0GCSqGSIb3DQEB
AQUAA4ICDwAwggIKAoICAQCt6CRz9BQ385ueK1coHIe+3LffOJCMbjzmV6B493XC
ov71am72AE8o295ohmxEk7axY/0UEmu/H9LqMZshftEzPLpI9d1537O4/xLxIZpL
wYqGcWlKZmZsj348cL+tKSIG8+TA5oCu4kuPt5l+lAOf00eXfJlII1PoOK5PCm+D
LtFJV4yAdLbaL9A4jXsDcCEbdfIwPPqPrt3aY6vrFk/CjhFLfs8L6P+1dy70sntK
4EwSJQxwjQMpoOFTJOwT2e4ZvxCzSow/iaNhUd6shweU9GNx7C7ib1uYgeGJXDR5
bHbvO5BieebbpJovJsXQEOEO3tkQjhb7t/eo98flAgeYjzYIlefiN5YNNnWe+w5y
sR2bvAP5SQXYgd0FtCrWQemsAXaVCg/Y39W9Eh81LygXbNKYwagJZHduRze6zqxZ
Xmidf3LWicUGQSk+WT7dJvUkyRGnWqNMQB9GoZm1pzpRboY7nn1ypxIFeFntPlF4
FQsDj43QLwWyPntKHEtzBRL8xurgUBN8Q5N0s8p0544fAQjQMNRbcTa0B7rBMDBc
SLeCO5imfWCKoqMpgsy6vYMEG6KDA0Gh1gXxG8K28Kh8hjtGqEgqiNx2mna/H2ql
PRmP6zjzZN7IKw0KKP/32+IVQtQi0Cdd4Xn+GOdwiK1O5tmLOsbdJ1Fu/7xk9TND
TwIDAQABo4IBRjCCAUIwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYw
SwYIKwYBBQUHAQEEPzA9MDsGCCsGAQUFBzAChi9odHRwOi8vYXBwcy5pZGVudHJ1
c3QuY29tL3Jvb3RzL2RzdHJvb3RjYXgzLnA3YzAfBgNVHSMEGDAWgBTEp7Gkeyxx
+tvhS5B1/8QVYIWJEDBUBgNVHSAETTBLMAgGBmeBDAECATA/BgsrBgEEAYLfEwEB
ATAwMC4GCCsGAQUFBwIBFiJodHRwOi8vY3BzLnJvb3QteDEubGV0c2VuY3J5cHQu
b3JnMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly9jcmwuaWRlbnRydXN0LmNvbS9E
U1RST09UQ0FYM0NSTC5jcmwwHQYDVR0OBBYEFHm0WeZ7tuXkAXOACIjIGlj26Ztu
MA0GCSqGSIb3DQEBCwUAA4IBAQAKcwBslm7/DlLQrt2M51oGrS+o44+/yQoDFVDC
5WxCu2+b9LRPwkSICHXM6webFGJueN7sJ7o5XPWioW5WlHAQU7G75K/QosMrAdSW
9MUgNTP52GE24HGNtLi1qoJFlcDyqSMo59ahy2cI2qBDLKobkx/J3vWraV0T9VuG
WCLKTVXkcGdtwlfFRjlBz4pYg1htmf5X6DYO8A4jqv2Il9DjXA6USbW1FzXSLr9O
he8Y4IWS6wY7bCkjCWDcRQJMEhg76fsO3txE+FiYruq9RUWhiF1myv4Q6W+CyBFC
Dfvp7OOGAN6dEOM4+qR9sdjoSYKEBpsr6GtPAQw4dy753ec5
-----END CERTIFICATE-----

can you check again. I'm new changed file fullchain.pem and restarted nginx

Certificate chain                                                                                               
 0 s:CN = media.lumi.com.vn                                                                                     
   i:C = US, O = Let's Encrypt, CN = R3                                                                         
 1 s:C = US, O = Let's Encrypt, CN = R3                                                                         
   i:C = US, O = Internet Security Research Group, CN = ISRG Root X1                                            
---                                                                                                             
Server certificate                                                                                              
-----BEGIN CERTIFICATE-----                                                                                     
MIIFKDCCBBCgAwIBAgISBDFLWhP7wN8VRsrfPT6ERVq9MA0GCSqGSIb3DQEBCwUA                                                
MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD                                                
EwJSMzAeFw0yMTEwMDQwNjQ2NTFaFw0yMjAxMDIwNjQ2NTBaMBwxGjAYBgNVBAMT                                                
EW1lZGlhLmx1bWkuY29tLnZuMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC                                                
AQEA622bTUw+Jo+KHtL5FK8iQ4ktlKqBA/AJR/wVkE1ZE6iklRJkLnWja4MsLXYt                                                
l8vauz2XWlDL9CBjxKrkZu0hJshs22co4DwuoM2R2BqztNlMT+6fvAjTSEpMpihI                                                
Ftm/vo2nmlJ3O/CyAaAkreV+ngvwuoz45rgvvpG8TIx/T/oZmYFAynbnQEEF0QLx                                                
R5KiglDmyIPgEBrja6AI1T5leU62iHH5wFFxS1lL+DecQXGAtoExg6pwZG4iWUFl                                                
zHyi8+xzKIQoQUn0WVi+oZScKPmDVQo0/PcwqqLUSIAXzfBYvD2qM8elA/u8SyRN                                                
P67fWWO8ym/soqSwZ29To6MNCwIDAQABo4ICTDCCAkgwDgYDVR0PAQH/BAQDAgWg                                                
MB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0G                                                
A1UdDgQWBBQ2XVQO2KN5HDBdhauIqMg2ffYQ6zAfBgNVHSMEGDAWgBQULrMXt1hW                                                
y65QCUDmH6+dixTCxjBVBggrBgEFBQcBAQRJMEcwIQYIKwYBBQUHMAGGFWh0dHA6                                                
Ly9yMy5vLmxlbmNyLm9yZzAiBggrBgEFBQcwAoYWaHR0cDovL3IzLmkubGVuY3Iu                                                
b3JnLzAcBgNVHREEFTATghFtZWRpYS5sdW1pLmNvbS52bjBMBgNVHSAERTBDMAgG                                                
BmeBDAECATA3BgsrBgEEAYLfEwEBATAoMCYGCCsGAQUFBwIBFhpodHRwOi8vY3Bz                                                
LmxldHNlbmNyeXB0Lm9yZzCCAQQGCisGAQQB1nkCBAIEgfUEgfIA8AB1AEalVet1                                                
+pEgMLWiiWn0830RLEF0vv1JuIWr8vxw/m1HAAABfEpFDPcAAAQDAEYwRAIgErQP                                                
xi2Hpq83lkQNveRtevNZXc+20aymmSayXNbpQaMCIEILftOBSyUgs4xZOKEx5XvH                                                
vU/MIhHvSsZbU8go2ipbAHcAb1N2rDHwMRnYmQCkURX/dxUcEdkCwQApBo2yCJo3                                                
2RMAAAF8SkUOcAAABAMASDBGAiEAxeMUf1KhDCT4S8gX1QfXBQlIJ3sqOPXQGWcb                                                
9i/LjAACIQCDkEvMxUval0AkyRkmbt9PGpvohrEmw92bXZ27tYEwKDANBgkqhkiG                                                
9w0BAQsFAAOCAQEArD94juQseZbTxGMHTlb5ZAzBY2qpPZ9wN+vNrf7UMAy/eKOk                                                
V8e4iuTjbXuI7HmHdDVp4eXBIKYagKi/FYK2okCksNa8j5IkD8sZ+hQlremshSy6                                                
zlp0YDb2hinKDaEG2eZPSQBk0k5fSg9sBH9eKCpIPCzkUxnWRtV/aEJnd0iARs+7                                                
m2dCkbrsMs9/OwrY1eIbeYR/yRB+PQ44xeFFy2m4pmASCrfsgPkb3EM6ZiWiJd2m                                                
IVH+Fhx8TTkH19wSc3dNldVHZIfk77tLxuExa4f0713EzAEjjIN4HIbaoAjarBP2                                                
VPoRVUys3OwZUBT6yNF49eo7apWMcWWBzVcyaw==                                                                        
-----END CERTIFICATE-----                                                                                       
subject=CN = media.lumi.com.vn                                                                                  
                                                                                                                
issuer=C = US, O = Let's Encrypt, CN = R3                                                                       
                                                                                                                
---                                                                                                             
No client certificate CA names sent                                                                             
Peer signing digest: SHA256                                                                                     
Peer signature type: RSA-PSS                                                                                    
Server Temp Key: X25519, 253 bits                                                                               
---                                                                                                             
SSL handshake has read 3115 bytes and written 412 bytes                                                         
Verification error: unable to get local issuer certificate                                                      
---                                                                                                             
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384                                                             
Server public key is 2048 bit                                                                                   
Secure Renegotiation IS supported                                                                               
Compression: NONE                                                                                               
Expansion: NONE                                                                                                 
No ALPN negotiated                                                                                              
SSL-Session:                                                                                                    
    Protocol  : TLSv1.2                                                                                         
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384                                                                     
    Session-ID: B3E5C9CF01A23367682F69E8A3DBBFEB7126CF9AC4C7E080C596402C5FA32A18                                
    Session-ID-ctx:                                                                                             
    Master-Key: 1A71249EA6483A08A14B0B964C02792C9295001E008EF9AE68D8710CC7D529EA34B9C601EE6464A059BDEFC96B4B3713
    PSK identity: None                                                                                          
    PSK identity hint: None                                                                                     
    SRP username: None                                                                                          
    Start Time: 1633337655                                                                                      
    Timeout   : 7200 (sec)                                                                                      
    Verify return code: 20 (unable to get local issuer certificate)                                             
    Extended master secret: yes

@trunglv
Much better now :slight_smile:

Hello!

I edited the fullchain.pem file and removed the last certificate.
My output openssl s_client -connect vr.cbraction.com:443 -servername vr.cbraction.com looks good

CONNECTED(00000003)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = vr.cbraction.com
verify return:1
---
Certificate chain
 0 s:CN = vr.cbraction.com
   i:C = US, O = Let's Encrypt, CN = R3
 1 s:C = US, O = Let's Encrypt, CN = R3
   i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFJjCCBA6gAwIBAgISA2nq/F+Ff17mb/zwnpq5YUm7MA0GCSqGSIb3DQEBCwUA
MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
EwJSMzAeFw0yMTEwMDQwODQzNTNaFw0yMjAxMDIwODQzNTJaMBsxGTAXBgNVBAMT
EHZyLmNicmFjdGlvbi5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
AQDdcpVFo/NMgEfRJihQNBHcUTHYLaq58pBS2crPGSlhcRQkTN/eLPvynmi2w0Sv
h7x6QPrMz4+W1cJ6ktYGaj1dgZFbMqHS1VqY6T7cMDXtmej2kuMuPEAmD4KjVD7O
fUgWHIyo3x3fTN8pQ6T7+tyuojqHr9oZmSNFMPZqglYblRMzo62gZ3BOVQsRc1GO
j3F5tZjCm5eGJpJaPsSxJR22LMKx5szL9BDjFb+UKjcLTU6e8YTH5AiVGS6KGQze
5Clb2l32ZG97XLjdmq3SIe8tvl4dE8bTqhrc8mEkU0rDz5jJcxPM1cbcZX/2A4Qd
XpHP02U1uDJPznP+6RK33gK7AgMBAAGjggJLMIICRzAOBgNVHQ8BAf8EBAMCBaAw
HQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwHQYD
VR0OBBYEFLy/DhRX+hrhPFni76sOLQ2J8VXTMB8GA1UdIwQYMBaAFBQusxe3WFbL
rlAJQOYfr52LFMLGMFUGCCsGAQUFBwEBBEkwRzAhBggrBgEFBQcwAYYVaHR0cDov
L3IzLm8ubGVuY3Iub3JnMCIGCCsGAQUFBzAChhZodHRwOi8vcjMuaS5sZW5jci5v
cmcvMBsGA1UdEQQUMBKCEHZyLmNicmFjdGlvbi5jb20wTAYDVR0gBEUwQzAIBgZn
gQwBAgEwNwYLKwYBBAGC3xMBAQEwKDAmBggrBgEFBQcCARYaaHR0cDovL2Nwcy5s
ZXRzZW5jcnlwdC5vcmcwggEEBgorBgEEAdZ5AgQCBIH1BIHyAPAAdgDfpV6raIJP
H2yt7rhfTj5a6s2iEqRqXo47EsAgRFwqcwAAAXxKsDOuAAAEAwBHMEUCIG9Ri/Fw
3SSlidb+qVFCwjr7tXkImYY69niqM2QyaP0eAiEA8R7+ZWVYU6yYRgD4GEIBOweT
BD1OhC1TrZrMCb2AJ34AdgBGpVXrdfqRIDC1oolp9PN9ESxBdL79SbiFq/L8cP5t
RwAAAXxKsDPXAAAEAwBHMEUCIBr51rrtidN7JbYROcCePjHpZWS5nuYmOlXgJSi1
/BzVAiEA9ziWLsaOSj+aOi1F5M4Oi7d6lYUNF43u1TbIZcK7dvkwDQYJKoZIhvcN
AQELBQADggEBAIbaw87elaAdE+B0pxscCdsVzLsCivJttSd75E9UXdAcKpKNsdRx
xXbEoQ7PrKEvm4bi+FMvutSgKlJcK7R4UVwjWpHO+kRhgISKYnKp3nIslNXTVz+C
BQZWYgla4cx9fngOpJN3WUSKK+WfPs6lp6zG4HM/WshlRqvklI2OT8YUOGvRvTcN
PxdGw1gmPQUfGvhs6DLbpr68CX3+OeMvVHi4Xp0CgsmOncM2+SAX0l8iYqrvMhgV
GY4ogQGOU1LFRLBOkLXgHYpvrd5eBwp4Fr9iIu6SIvArV1WqYnKDxMH1K5ExbxIZ
/zOBYLx+S22CLsdvYoVPgIPOoEgLa6pbDDc=
-----END CERTIFICATE-----
subject=CN = vr.cbraction.com

issuer=C = US, O = Let's Encrypt, CN = R3

---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 3193 bytes and written 388 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: C967FA1B3DB8514C786CF04B352996A0083569A867287CDD813772AB211EB3EC
    Session-ID-ctx:
    Resumption PSK: B143ECEFB0EFB9092270973511893D3A3AA440F127711C3D9D0329FDC56CD167C648834EDB85B7E320218E3C5FE0350F
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 86400 (seconds)
    TLS session ticket:
    0000 - 8b c9 85 9d d5 3f 0e 0e-6b 09 03 94 3e 43 1c 70   .....?..k...>C.p
    0010 - 23 c7 dd cc 00 63 82 65-16 2f 61 79 5f 75 0a 65   #....c.e./ay_u.e

    Start Time: 1633342479
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: AA5BA92C2A3813E7136C81C74E53A40FB7738521456A07C1841CE8092C9F8E6F
    Session-ID-ctx:
    Resumption PSK: 561CA6CE181598285B92669A4CB4233436DD4EF84DCC768560532C0C10081EC622442AD3C607E669D61C99F750EFE940
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 86400 (seconds)
    TLS session ticket:
    0000 - d1 fc 6c 98 32 0b cc 82-dd 71 d8 8c b9 ce 6c 97   ..l.2....q....l.
    0010 - f5 b7 fc 2f c7 b4 46 6f-60 07 dd 0a 3b 32 86 4a   .../..Fo`...;2.J

    Start Time: 1633342479
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK

but when I run command on client I have problems

faketime -f '@2021-10-01 00:00:00' curl  https://vr.cbraction.com
curl: (60) SSL certificate problem: certificate is not yet valid
More details here: https://curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.