R3 Cert Expired

My cert will not expire until 11/11/21 However Im getting the R3 Error below. Please advise on what I need to do to fix this error. I also believe I have a redirect as well, does that impact anything? Thank you.

My domain is: tigeowners.com
My web server is :Bitnami LAMP 7.3.15-0 running on an AWS Instance
The operating system my web server runs on is: Ubuntu 16.04.6
My hosting provider: AWS Lightsail
I can login to a root shell on my machine (yes or no, or I don't know): Yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):AWS Lightsail
The version of my client is certbot 0.31.0

That's probably because your server does not send any intermediate certificate(s), but just the end leaf cert:

---
Certificate chain
 0 s:CN = tigeowners.com
   i:C = US, O = Let's Encrypt, CN = R3
---

That's bad and can lead to unexpected results, as you're seeing now.

If you've used a tutorial or how-to that tutorial or how-to was either incorrect or you didn't follow the instructions properly.

Personally I don't have (and don't want to have) any experience with Bitnami, so I cannot help you on how to install the proper certificate chain.

3 Likes

This thread describes the situation @Osiris pointed out and shows how to correct it for Apache

2 Likes

@MikeMcQ Please note that Bitnami stacks often don't use the regular Apache locations and/or configurations, so generic Apache instructions probably won't work directly, but need some "translation" to Bitnami.

2 Likes

It's the place to ask... :man_dancing:

2 Likes

Probably (the browser is) using the cross-signed R3 signed by DST Root CA X3.

Edit: Yup. I see it in the tree in the certificate screenshot.

1 Like

Nope, earlier it wasn't sending any intermediate, see my post above.

Currently however, the default certificate chain is being send:

---
Certificate chain
 0 s:CN = tigeowners.com
   i:C = US, O = Let's Encrypt, CN = R3
 1 s:C = US, O = Let's Encrypt, CN = R3
   i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
 2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1
   i:O = Digital Signature Trust Co., CN = DST Root CA X3
---

So all good now :slight_smile: Except maybe for clients not having the ISRG Root X1 root cert in their root store, but that's a different story :slight_smile:

2 Likes

I clarified to specify the browser. :wink:

1 Like

Sneaky ninja edit!

Yeah I don't really understand why and how browsers are still using that intermediate, even if it's not send by the server? Maybe cached from a different incorrectly configured server? It's got to come from somewhere.

2 Likes

It could also have been cached from a correctly configured server that was visited two weeks ago. Not sure how long these caches live.

1 Like

Two weeks? You mean five months?

The R3-signed-by-DST Root CA X3 hasn't been in use since May this year :wink:

2 Likes

It expired on September 29. GoDaddy was using it as recently as a month ago. Just because Let's Encrypt stopped including it doesn't mean it stopped being used. :grin:

1 Like

They what now? :sob:

2 Likes

See this...

1 Like

Ok I followed @MikeMcQ post and moved it to the correct path on apache and that seemed to fix it.

Now mysql seems to be running really slow so Im chasing a whole new issue.

Thank you all for the help. I appreciate it! Screen Shot 2021-10-12 at 3.12.42 PM

5 Likes