R3 intermediate certificate has expired, how to renew it with cert-bot renew

na_7909 · October 3, 2021, 8:12am

The R3 intermediate certificate expired on September 31, 2021.

I can renew it with Certbot renew, but when I check the expiration date on Linux, it expires.

Is there any way to renew it manually?

Osiris · October 3, 2021, 8:16am

That intermediate hasn't been in use since May this year. Howcome are you still using that R3 intermediate?

Or do you actually mean DST Root CA X3 has expired?

Also, please answer the questions of the Help questionnaire (which should have been provided to you when you started this thread):

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

rg305 · October 3, 2021, 8:16am

Hi @na_7909, welcome to the LE community forum

The expired R3 cert can't be renewed.
But it has been replaced - with "ISRG Root X1".

Osiris · October 3, 2021, 8:18am

Browsers can build their chain in whatever way they feel fit. It's not very useful to use to check what chain is being send by your server.

Please answer the questions to the questionnaire I've added to my first post, including your sites hostname.

Osiris · October 3, 2021, 8:25am

All publicly trusted certificates are send to Certificate Transparancy Logs, so their certificate and hostname are already publicly known anyway.

rg305 · October 3, 2021, 8:26am

If you know their FQDN, maybe you can collect some information for us to look at with:
openssl s_client -connect EXAMPLE.COM:443 -servername EXAMPLE.COM

The part that is of interest is above the certificate:
Like:

openssl s_client -connect letsencrypt.org:443 -servername letsencrypt.org
CONNECTED(00000005)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = lencr.org
verify return:1
---
Certificate chain
 0 s:CN = lencr.org
   i:C = US, O = Let's Encrypt, CN = R3
 1 s:C = US, O = Let's Encrypt, CN = R3
   i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
 2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1
   i:O = Digital Signature Trust Co., CN = DST Root CA X3
---
Server certificate
-----BEGIN CERTIFICATE-----

na_7909 · October 3, 2021, 8:31am

 openssl s_client -connect dev.galleryrare.micup.jp:443 -servername dev.galleryrare.micup.jp

---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES128-GCM-SHA256
    Session-ID: 4580ED57E3F1B6C228C5A3CF49CAC81F498E1F876E247215E5C56F7FD7961652
    Session-ID-ctx:
    Master-Key: 6AC62444DDEC78FDCB4C549A869FB13D7B80D133DE451D3575153D5C0C7709366FD888E162FBA55A76F2D520D993168C
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - 52 fb 64 22 06 3b c1 a4-3b 90 f9 ae 6a 4d d0 33   R.d".;..;...jM.3
    0010 - 59 30 2f 90 f4 0f 35 89-c1 1b ff 15 3a c8 c5 19   Y0/...5.....:...
    0020 - 76 ff 4d 19 c6 c5 b8 18-cd 0c 39 3b 95 aa 74 ac   v.M.......9;..t.
    0030 - a8 e2 6a dd e7 80 4f ea-a2 55 89 f3 26 42 ee 49   ..j...O..U..&B.I
    0040 - cf 79 71 15 40 99 d3 07-a1 7b c2 df f4 86 94 d5   .yq.@....{......
    0050 - 09 3c d1 c0 64 44 ae 20-67 a8 62 7b 34 ce 7b d2   .<..dD. g.b{4.{.
    0060 - df c1 31 17 71 1a ea 35-54 7b e6 44 80 0c fe f6   ..1.q..5T{.D....
    0070 - 13 eb 85 6d bf 21 8a 69-16 cd b9 0a 6a 0a 88 17   ...m.!.i....j...
    0080 - 6f 4a 6e b6 be d7 12 51-87 14 5b 8c 42 17 63 2d   oJn....Q..[.B.c-
    0090 - 78 92 be 1a 5c 68 8b 23-c8 b2 ed c0 cc d2 13 62   x...\h.#.......b
    00a0 - 41 5c aa 50 d8 8d 47 8a-bd 72 24 e5 4d 12 1b 60   A\.P..G..r$.M..`
    00b0 - ae ad fb 84 0e 14 4b 94-88 49 f7 a1 0f e8 88 4f   ......K..I.....O
    00c0 - c8 e3 a0 20 5b 9f 0b 83-b7 7c 8d 95 74 5f 9b 59   ... [....|..t_.Y

    Start Time: 1633249881
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
---

Osiris · October 3, 2021, 8:35am

For some reason you've posted the bottom part? While not that literal, @rg305 asked for the top part

Anyway, your certificate looks good. I see it has been renewed today (the previous certificate was still valid for another 26 days) and the chain it's sending is the default old-Android-compatible chain.

With what client did you have issues? You said "When I checked on Linux", but with what exactly?

Osiris · October 3, 2021, 8:39am

I'm getting the same OK result as you did. Please see my sneaky edit in my post above.

na_7909 · October 3, 2021, 8:44am

My domain is: dev.galleryrare.micup.jp

My web server is (include version): nginx/1.19.10

The operating system my web server is running on is (include version): macOS Big Sur 11.5.2

If applicable, my hosting provider is

I can log into the root shell of my machine (yes or no, or don't know): Yes

I am using a control panel to manage my site (no, or provide the name and version of the control panel): Yes

The version of my client is: certbot 1.11.0 (for example, if you are using Certbot output certbot --version or certbot-auto --versionCertbot)

system · November 2, 2021, 8:45am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.