R3 Intermediate certificate has expired

I'll have to admit my knowledge about this is bad.
I'll write this response as a help for anyone else facing the same problem.

My setup is like this:
Debian 10 Server -> Docker -> ASP.net Core container running hosting with Kestrel server

I use this software to renew the cert:

It gives me a .crt file with 3 certificates:

  1. The actual cert for my domain
  2. R3 (ISRG Root X1) 2020-09-04 -> 2025-09-15
  3. ISRG Root X1 (2015->2035)

I combine this file + the private key into a PFX file, which I then import and set up SSL with in .NET.

So when this issue arised, I had the expired DST_Root_CA_X3.crt in /etc/ssl/certs on the Debian host and it was also "inside" the Docker container.

For some reason, some mechanism in my setup (Docker, .NET , Kestrel?) seemed to use the expired /etc/ssl/certs/DST_Root_CA_X3.crt and not the "chain" from my .crt file..

After removing this /etc/ssl/certs/DST_Root_CA_X3.crt, and restarting the Docker container, it instead started "serving" the correct, non expired cert-chain.

As for how/why this actually works, I have no clue :stuck_out_tongue:

1 Like

If you don't need to support any older Android devices, you could remove the last cert from file:
/etc/letsencrypt/live/office.lcsoftware.co.za/fullchain.pem
Restart server and things should look better.

1 Like

To me this seems like a partial replay of the Year 2000 problem, however one difference with the Y2K bug was there was enough public paranoia that corporations spent a lot of effort and money on being prepared. So January 2000 there wasn't much issue, which then cause some out-lash that it was all a waste of time, effort, and money. But there wasn't much of a disturbance in the world. I feel that the LE community did do due diligence on address and informing the powers that be, but the paranoia wasn't high enough to make R3 Intermediate certificate expiring to motivate the web world as a whole to be fully prepared and tested prior to R3's expiration. Just one point of view. :neutral_face:

1 Like

Thank you.

removed it and restarted dovecot and postfix, and it's working now.
What happens when the certificate refreshes

1 Like

We're having the same issue with cert-manager on our Kubernetes clusters. Does anyone know how I can set my cluster issuer to use the ISRG Root X1 chain?

Our issuer definition:

Spec:
  Acme:
    Email:            ***
    Preferred Chain:
    Private Key Secret Ref:
      Name:  letsencrypt
    Server:  https://acme-v02.api.letsencrypt.org/directory
    Solvers:
      http01:
        Ingress:
          Class:  nginx
Status:
  Acme:
    Last Registered Email:  ***
    Uri:                    https://acme-v02.api.letsencrypt.org/acme/acct/208102080
  Conditions:
    Last Transition Time:  2021-09-20T16:30:47Z
    Message:               The ACME account was registered with the ACME server
    Observed Generation:   1
    Reason:                ACMEAccountRegistered
    Status:                True
    Type:                  Ready

According to this page it should just be as simple as setting preferredChain on acme. Could someone please confirm?

preferredChain: "ISRG Root X1"

And are there future implications of this?

You get a new certificate.
You need to restart your services to use that new certificate.
The sun will come up and the stars will shine at night.
Life will go on happily.
[until the next problem shows up]
LOL

1 Like

ok, so it will not recreate the file with the problem certificate.

@lcsoftware
It actually will (if nothing changes), but by then we should have a (better) fix for this and likely the provided files' chain will look just like this one does now.
OR you money back! - LOL

Anybody having problems connecting from a CLI?

1 Like

Yes, particularly git clones and linux stuff. Have a search through the forum but it'll be specific to your OS and whether it uses openssl etc (and what version).

Exactly, in our case, we're having problem with a POST to a self-hosted GitLab API

the same site:

image

1 Like

Thanks - that was exactly my problem. I used the cert.pem in my dovecot (imap) and smtp settings.
Switching to fullchain.pem solved it.

2 Likes

Hi, I’m not a web hoster or have much IT knowledge at all, just a user from another field who is having trouble accessing websites apparently due to this error (looked up letsencrypt and r3 after general troubleshooting didn’t work). I have two older Mac computers in my home and both are having problems accesing several sites (scielo.org, wikipedia.org, centraonline.cl and others that I could regularly use before yesterday) with both Safari and Chrome. I assume it’s due to the certificate as read here, but I’m also scared it could be a security problem. I can access the sites in incognito mode and advanced settings options, although it warns me that the connection is unsafe while I use them (citing ERR_CERT_DATE_INVALID, but the date and time settings in my system are correct). I would appreciate any guidance since I live in a pretty remote area and use my computers for work. Apparently it’s not a network problem, I can access those websites fine through my cellphone.

@feminatimida What's the version of your OS X? Also, I'm curious: does using incognito mode work without any other thing necessary to do? Such as overriding something? Does incognito "just work"?

1 Like

@Osiris One is a macbook pro retina from 2014 running on Yosemite version 10.10.5 (tried to update it but it took more than 72 hours and didn’t work) and the other is a macbook pro from 2012, running El Capitan 10.11.6. I can’t access any sites that use letsencrypt R3 without getting a security warning. With some of them, using incognito mode and/or ignoring the safety warning allows me to proceed to the site unsafely. Not ideal but I need to be able to access somehow.

1 Like

Two possible choices available today:

  • update to 10.12 or higher (however long that pain path might be)
  • use alternate software (like chrome/firefox/etc.)

Possible future choices...:

  • win lottery and buy a newer computer
  • drop off the Internet entirely and go on a spiritual journey through life
  • spend your time reading random thoughts on forums
  • laughing like nothing matters especially when it does
  • joining a open source coding clan and help rewrite software to be secure and easy to use

[sorry my time is up - next on the mic is...]

4 Likes

For older macOS, try:

  • downloading https://letsencrypt.org/certs/isrgrootx1.der
  • Open the Keychain Access app and dragging that file into the System folder of that app.
  • then find the ISRG Root X1 certificate in System and double click on it, open the Trust menu and change "Use System Defaults" to "Always Trust", then close that and enter your password to confirm the change (if prompted).
6 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.