Since yesterday we have the following issue: some Macs report that the R3 certificate is expired when accessing our site, specifically 2 Macs running MacOS 10.15.7. All PCs are fine, other Macs running 11.6 and 10.12.6 are fine too. Clearing caches didn't help.
We renewed our SSL certificate in the hope that this would fix it, but no luck. We're not providing the intermediate cert directly - could we do this in nginx? What else can we do to troubleshoot or fix this?
Yes, check your nginx configuration. For nginx, the leaf and chain certificate should both go in the same file. The currently-recommended chain is always provided by the Let's Encrypt certificate authority when issuing a certificate, so you should already have it on your system. For example, if you're using Certbot, you just need to change your configuration from pointing at cert.pem to pointing at fullchain.pem.
Oh interesting! I get 4 things when generating a new cert:
The cert (I renamed this to certificate.crt)
The key (I renamed this to private.pem)
The intermediate CA cert (ca.cer)
The full chian cert (fullchain.cer)
Are you saying I can simply use fullchain.cer instead of the key (private.pem) and that would fix it? Oh, or will that only work for certbot (which we're not using).
The fullchain.cer file corresponds to what Certbot calls fullchain.pem. Yes, you do need one of ca.cer or fullchain.cer depending on your server application.
fullchain.cer is the same as certificate.crt + ca.cer combined in one file.