R3 certificate is expired on some Macs

Since yesterday we have the following issue: some Macs report that the R3 certificate is expired when accessing our site, specifically 2 Macs running MacOS 10.15.7. All PCs are fine, other Macs running 11.6 and 10.12.6 are fine too. Clearing caches didn't help.

We renewed our SSL certificate in the hope that this would fix it, but no luck. We're not providing the intermediate cert directly - could we do this in nginx? What else can we do to troubleshoot or fix this?

My domain is: cloud.enklu.com

My web server is (include version): nginx running in a docker container running in a VM on Azure.

The operating system my web server runs on is (include version): VM is running Ubuntu 18.04

My hosting provider, if applicable, is: Azure

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

Hi @markus-e,

Yes, check your nginx configuration. For nginx, the leaf and chain certificate should both go in the same file. The currently-recommended chain is always provided by the Let's Encrypt certificate authority when issuing a certificate, so you should already have it on your system. For example, if you're using Certbot, you just need to change your configuration from pointing at cert.pem to pointing at fullchain.pem.

Oh interesting! I get 4 things when generating a new cert:

  1. The cert (I renamed this to certificate.crt)
  2. The key (I renamed this to private.pem)
  3. The intermediate CA cert (ca.cer)
  4. The full chian cert (fullchain.cer)

Are you saying I can simply use fullchain.cer instead of the key (private.pem) and that would fix it? Oh, or will that only work for certbot (which we're not using).

The fullchain.cer file corresponds to what Certbot calls fullchain.pem. Yes, you do need one of ca.cer or fullchain.cer depending on your server application.

fullchain.cer is the same as certificate.crt + ca.cer combined in one file.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.