R3 Intermediate certificate has expired and MacOS

Help
1

My domain is:

https://crt.sh/?q=guardiandigital.com

I updates our certs just a few days ago:
certbot -d guardiandigital.com [-d all other domains] --manual --preferred-challenges dns certonly

My web server is (include version):
httpd-2.4.49-1.fc34.x86_64 on fedora34

The operating system my web server runs on is (include version):
fedora34

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 1.19.0

The problem appears to be with MacOS version 10.11.6 - El Capitan users using the latest Chrome or Safari.

What is the solution for these users?

expired-cert-Screen Shot 2021-09-30 at 7.54.04 PM
expired-cert-Screen Shot 2021-09-30 at 7.54.04 PM1070×612 49.9 KB

2

Hi @gossamer,

When you did this, did you also update the certificate chain, not just the certificate itself? Certbot will give you both things, but if you're using --manual it's easy to forget about the chain (since, most of the time, the old chain is still correct, or still correct enough—but not right now!).

Edit: Actually, the chain looks correct to me (except that the end-entity certificate is duplicated). Can someone else confirm whether these browsers might be actively rejecting the Android workaround X3 certificate? If so, you might need to remove the X3 certificate from your chain (which is unfortunate because I think prior experiments suggested that its presence only improved compatibility with old Android systems, rather than harming compatibility with other clients).

3

This could be the same issue as

4

A post was split to a new topic: End-user certificate expiration problems

5

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.