I'll have to admit my knowledge about this is bad.
I'll write this response as a help for anyone else facing the same problem.
My setup is like this:
Debian 10 Server -> Docker -> ASP.net Core container running hosting with Kestrel server
I use this software to renew the cert:
It gives me a .crt file with 3 certificates:
The actual cert for my domain
R3 (ISRG Root X1) 2020-09-04 -> 2025-09-15
ISRG Root X1 (2015->2035)
I combine this file + the private key into a PFX file, which I then import and set up SSL with in .NET.
So when this issue arised, I had the expired DST_Root_CA_X3.crt in /etc/ssl/certs on the Debian host and it was also "inside" the Docker container.
For some reason, some mechanism in my setup (Docker, .NET , Kestrel?) seemed to use the expired /etc/ssl/certs/DST_Root_CA_X3.crt and not the "chain" from my .crt file..
After removing this /etc/ssl/certs/DST_Root_CA_X3.crt, and restarting the Docker container, it instead started "serving" the correct, non expired cert-chain.
As for how/why this actually works, I have no clue
If you don't need to support any older Android devices, you could remove the last cert from file: /etc/letsencrypt/live/office.lcsoftware.co.za/fullchain.pem
Restart server and things should look better.
To me this seems like a partial replay of the Year 2000 problem, however one difference with the Y2K bug was there was enough public paranoia that corporations spent a lot of effort and money on being prepared. So January 2000 there wasn't much issue, which then cause some out-lash that it was all a waste of time, effort, and money. But there wasn't much of a disturbance in the world. I feel that the LE community did do due diligence on address and informing the powers that be, but the paranoia wasn't high enough to make R3 Intermediate certificate expiring to motivate the web world as a whole to be fully prepared and tested prior to R3's expiration. Just one point of view.
We're having the same issue with cert-manager on our Kubernetes clusters. Does anyone know how I can set my cluster issuer to use the ISRG Root X1 chain?
Our issuer definition:
Spec:
Acme:
Email: ***
Preferred Chain:
Private Key Secret Ref:
Name: letsencrypt
Server: https://acme-v02.api.letsencrypt.org/directory
Solvers:
http01:
Ingress:
Class: nginx
Status:
Acme:
Last Registered Email: ***
Uri: https://acme-v02.api.letsencrypt.org/acme/acct/208102080
Conditions:
Last Transition Time: 2021-09-20T16:30:47Z
Message: The ACME account was registered with the ACME server
Observed Generation: 1
Reason: ACMEAccountRegistered
Status: True
Type: Ready
According to this page it should just be as simple as setting preferredChain on acme. Could someone please confirm?
You get a new certificate.
You need to restart your services to use that new certificate.
The sun will come up and the stars will shine at night.
Life will go on happily.
[until the next problem shows up]
LOL
@lcsoftware
It actually will (if nothing changes), but by then we should have a (better) fix for this and likely the provided files' chain will look just like this one does now. OR you money back! - LOL
Yes, particularly git clones and linux stuff. Have a search through the forum but it'll be specific to your OS and whether it uses openssl etc (and what version).
Hi, I’m not a web hoster or have much IT knowledge at all, just a user from another field who is having trouble accessing websites apparently due to this error (looked up letsencrypt and r3 after general troubleshooting didn’t work). I have two older Mac computers in my home and both are having problems accesing several sites (scielo.org, wikipedia.org, centraonline.cl and others that I could regularly use before yesterday) with both Safari and Chrome. I assume it’s due to the certificate as read here, but I’m also scared it could be a security problem. I can access the sites in incognito mode and advanced settings options, although it warns me that the connection is unsafe while I use them (citing ERR_CERT_DATE_INVALID, but the date and time settings in my system are correct). I would appreciate any guidance since I live in a pretty remote area and use my computers for work. Apparently it’s not a network problem, I can access those websites fine through my cellphone.
@feminatimida What's the version of your OS X? Also, I'm curious: does using incognito mode work without any other thing necessary to do? Such as overriding something? Does incognito "just work"?
@Osiris One is a macbook pro retina from 2014 running on Yosemite version 10.10.5 (tried to update it but it took more than 72 hours and didn’t work) and the other is a macbook pro from 2012, running El Capitan 10.11.6. I can’t access any sites that use letsencrypt R3 without getting a security warning. With some of them, using incognito mode and/or ignoring the safety warning allows me to proceed to the site unsafely. Not ideal but I need to be able to access somehow.
Open the Keychain Access app and dragging that file into the System folder of that app.
then find the ISRG Root X1 certificate in System and double click on it, open the Trust menu and change "Use System Defaults" to "Always Trust", then close that and enter your password to confirm the change (if prompted).
