I have some problem with my ssl certificate that started today. My certificate were not due for renewal but for some reason when a service like axios try to do a post on my server, i get a 'CERT_HAS_EXPIRED' error. I did force renew my certificate to be sure but i still have the same problem. If i acces to my domain with a browser like chrome I can see that my certificate is valid.
(i.e. just remove the cross-signed ISRG Root X1 from the chain), I suspect that your client(s) will begin to trust your server again.
You can make that change manually by editing the chain file used by your webserver. You can make the change permanently by editing the configuration of your ACME client to request the alternate chain.
Thank you for your help, after removing the last certificate from my fullchain, my problems were solved. I just hope that when the certificate is renewed it will not add the faulty certificate to my fullchain again.
It most likely will. However, hopefully by then clients will stop trying to validate the chain up to the expired DST Root CA X3. Maybe due to the fact that root has been removed or the client has been updated to validate chains differently.
When I run the command 'openssl s_client -connect example.com:443 -servername example.com' I see what needs to be changed, but I can't edit on screen... the pem file /etc/letsencrypt/live/example.com/ fullchain.pem does not have the same content to delete and save with VIM or NANO... Which Ubuntu walkthrough to edit?
is there any command that allows me to edit the fullchain pem by openssl? because in the file does not appear the same content to edit with linux text editor like VIM or NANO
I've Issue the same. but after remove the last certificate. on client check openssl s_client -connect media.lumi.com.vn:443 -servername media.lumi.com.vn.
i seen "Verify return code: 20 (unable to get local issuer certificate)"
I edited the fullchain.pem file and removed the last certificate.
My output openssl s_client -connect vr.cbraction.com:443 -servername vr.cbraction.com looks good
CONNECTED(00000003)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = vr.cbraction.com
verify return:1
---
Certificate chain
0 s:CN = vr.cbraction.com
i:C = US, O = Let's Encrypt, CN = R3
1 s:C = US, O = Let's Encrypt, CN = R3
i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFJjCCBA6gAwIBAgISA2nq/F+Ff17mb/zwnpq5YUm7MA0GCSqGSIb3DQEBCwUA
MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
EwJSMzAeFw0yMTEwMDQwODQzNTNaFw0yMjAxMDIwODQzNTJaMBsxGTAXBgNVBAMT
EHZyLmNicmFjdGlvbi5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
AQDdcpVFo/NMgEfRJihQNBHcUTHYLaq58pBS2crPGSlhcRQkTN/eLPvynmi2w0Sv
h7x6QPrMz4+W1cJ6ktYGaj1dgZFbMqHS1VqY6T7cMDXtmej2kuMuPEAmD4KjVD7O
fUgWHIyo3x3fTN8pQ6T7+tyuojqHr9oZmSNFMPZqglYblRMzo62gZ3BOVQsRc1GO
j3F5tZjCm5eGJpJaPsSxJR22LMKx5szL9BDjFb+UKjcLTU6e8YTH5AiVGS6KGQze
5Clb2l32ZG97XLjdmq3SIe8tvl4dE8bTqhrc8mEkU0rDz5jJcxPM1cbcZX/2A4Qd
XpHP02U1uDJPznP+6RK33gK7AgMBAAGjggJLMIICRzAOBgNVHQ8BAf8EBAMCBaAw
HQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwHQYD
VR0OBBYEFLy/DhRX+hrhPFni76sOLQ2J8VXTMB8GA1UdIwQYMBaAFBQusxe3WFbL
rlAJQOYfr52LFMLGMFUGCCsGAQUFBwEBBEkwRzAhBggrBgEFBQcwAYYVaHR0cDov
L3IzLm8ubGVuY3Iub3JnMCIGCCsGAQUFBzAChhZodHRwOi8vcjMuaS5sZW5jci5v
cmcvMBsGA1UdEQQUMBKCEHZyLmNicmFjdGlvbi5jb20wTAYDVR0gBEUwQzAIBgZn
gQwBAgEwNwYLKwYBBAGC3xMBAQEwKDAmBggrBgEFBQcCARYaaHR0cDovL2Nwcy5s
ZXRzZW5jcnlwdC5vcmcwggEEBgorBgEEAdZ5AgQCBIH1BIHyAPAAdgDfpV6raIJP
H2yt7rhfTj5a6s2iEqRqXo47EsAgRFwqcwAAAXxKsDOuAAAEAwBHMEUCIG9Ri/Fw
3SSlidb+qVFCwjr7tXkImYY69niqM2QyaP0eAiEA8R7+ZWVYU6yYRgD4GEIBOweT
BD1OhC1TrZrMCb2AJ34AdgBGpVXrdfqRIDC1oolp9PN9ESxBdL79SbiFq/L8cP5t
RwAAAXxKsDPXAAAEAwBHMEUCIBr51rrtidN7JbYROcCePjHpZWS5nuYmOlXgJSi1
/BzVAiEA9ziWLsaOSj+aOi1F5M4Oi7d6lYUNF43u1TbIZcK7dvkwDQYJKoZIhvcN
AQELBQADggEBAIbaw87elaAdE+B0pxscCdsVzLsCivJttSd75E9UXdAcKpKNsdRx
xXbEoQ7PrKEvm4bi+FMvutSgKlJcK7R4UVwjWpHO+kRhgISKYnKp3nIslNXTVz+C
BQZWYgla4cx9fngOpJN3WUSKK+WfPs6lp6zG4HM/WshlRqvklI2OT8YUOGvRvTcN
PxdGw1gmPQUfGvhs6DLbpr68CX3+OeMvVHi4Xp0CgsmOncM2+SAX0l8iYqrvMhgV
GY4ogQGOU1LFRLBOkLXgHYpvrd5eBwp4Fr9iIu6SIvArV1WqYnKDxMH1K5ExbxIZ
/zOBYLx+S22CLsdvYoVPgIPOoEgLa6pbDDc=
-----END CERTIFICATE-----
subject=CN = vr.cbraction.com
issuer=C = US, O = Let's Encrypt, CN = R3
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 3193 bytes and written 388 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_256_GCM_SHA384
Session-ID: C967FA1B3DB8514C786CF04B352996A0083569A867287CDD813772AB211EB3EC
Session-ID-ctx:
Resumption PSK: B143ECEFB0EFB9092270973511893D3A3AA440F127711C3D9D0329FDC56CD167C648834EDB85B7E320218E3C5FE0350F
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 86400 (seconds)
TLS session ticket:
0000 - 8b c9 85 9d d5 3f 0e 0e-6b 09 03 94 3e 43 1c 70 .....?..k...>C.p
0010 - 23 c7 dd cc 00 63 82 65-16 2f 61 79 5f 75 0a 65 #....c.e./ay_u.e
Start Time: 1633342479
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
Max Early Data: 0
---
read R BLOCK
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_256_GCM_SHA384
Session-ID: AA5BA92C2A3813E7136C81C74E53A40FB7738521456A07C1841CE8092C9F8E6F
Session-ID-ctx:
Resumption PSK: 561CA6CE181598285B92669A4CB4233436DD4EF84DCC768560532C0C10081EC622442AD3C607E669D61C99F750EFE940
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 86400 (seconds)
TLS session ticket:
0000 - d1 fc 6c 98 32 0b cc 82-dd 71 d8 8c b9 ce 6c 97 ..l.2....q....l.
0010 - f5 b7 fc 2f c7 b4 46 6f-60 07 dd 0a 3b 32 86 4a .../..Fo`...;2.J
Start Time: 1633342479
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
Max Early Data: 0
---
read R BLOCK
but when I run command on client I have problems
faketime -f '@2021-10-01 00:00:00' curl https://vr.cbraction.com
curl: (60) SSL certificate problem: certificate is not yet valid
More details here: https://curl.haxx.se/docs/sslcerts.html
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.