R3 Expiration on old NodeJS environment

tolgaytoklar · October 4, 2021, 10:25am

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: https://test.ribony.com:2087

I ran this command: node start.js --use-openssl-ca

It produced this output: Certificate error on mac devices.

My web server is (include version): Node v0.10.26

The operating system my web server runs on is (include version): Centos 6.9

I can log in to a root shell on my machine (yes or no, or I don't know): Yes.

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No.

As you know, the root certificate has expired. I fixed the problem with using --use-openssl-ca argument for windows devices. But I still get certificate expiration error for my mac device, which uses Big Sur 11.6(latest version). Interestingly my friend's version is Big Sur 11.5.2, and he connects without any problem.

How to resolve this problem?

rg305 · October 4, 2021, 11:50am

Hi @tolgaytoklar welcome to the LE community forum

The site serves no chain:

openssl s_client -connect test.ribony.com:2087 -servername test.ribony.com
CONNECTED(00000005)
depth=0 CN = ribony.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = ribony.com
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
 0 s:CN = ribony.com
   i:C = US, O = Let's Encrypt, CN = R3
---

tolgaytoklar · October 4, 2021, 12:02pm

So what do you suggest to resolve the problem? If it serves no chain, how is it working on Windows devices?

Thanks for your reply.

rg305 · October 4, 2021, 12:07pm

Pure luck.

Update the web server to use the fullchain file.

tolgaytoklar · October 6, 2021, 10:37am

Is a fullchain file equals to cert + ca bundle?

jvanasco · October 6, 2021, 11:20am

Yes, but your client should have it as a file already.

Using the standard / Certbot layout:

cert.pem is the end-entity or leaf
chain.pem is the intermediates
fullchain.pem is the cert + chain

If you don't have a fullchain.pem, you can make one on *nix via:

cat cert.pem chain.pem > fullchain.pem

system · November 5, 2021, 11:21am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.