R3 Intermediate certificate has expired

I'm having the same issue. my server is a Go REST api that uses the fullchain.pem file. I used the current certbot snap on ubuntu 18.04 to force-renew a new cert today. How do I get certbot to use the R3-new and not the R3-old? is this something that I need to do in certbot, or the cert listings in ubuntu, or do I need to use a different file instead of the "fullchain.pem" in my REST api server.

1 Like

I saw this exact problem on my Mac. Whatever the cause (and I can't pinpoint it) the solution was to modify my server to use 'fullchain.pem' instead of 'cert.pem' for dovecot imap. That solved the problem for all my personal email domains on my server.

5 Likes

Hi @aparduhn, welcome to the LE community forum :slight_smile:

certbot gets what LE provides.
[which has been the new R3 for quite some time now]

Definitely NOT.

not likely...
Although I would ask you to check what version of OpenSSL you are running.

Definitely NOT; that is the right file.
Are you sure it is using a recent version of it?

2 Likes

Hi all - I'm a new user and had an AWS expert set up my certs. Today, both of my websites, with current, valid certs, are showing as expired, and users are getting the "This connection is not private" warning message on Safari in iOS. Can anyone guide me here?

@BrianCanFixIT - how did you "force a renewal of the websites that were affected?"

What ACME client are you using?
Which of those cert renewal files are being used by your service?

Thank you so much for the quick response. I'm using OpenSSL 1.1.1 11 Sep 2018. and the version of certbot is installed: 1.19.0 (1434) 44MB classic

Certs are managed on AWS Certificate Manager. I'm not sure how to answer your 2nd question. (novice here)

Check to see that you're using 'fullchain.pem' - that solved all my Mac OS and IOS problems with no change on the client side.

Based on what you said, that sounds like my problem (issues are isolated to Mac OS and iOS users. Now, novice user here, where would I check for that and/or update to "fullchain.pem?"

If you can, test to see what is being served by your service.
Try something like:
openssl s_client -connect EXAMPLE.APP:443 -servername EXAMPLE.APP

hmm...
If you are in a hurry/emergency state, I guess I would have to go to "in case of emergency break glass"...
And have you try to switch to another free CA until this problem is resolved.

Is is a publicly accessible website?

Yes - www.thecollegeagency.com

That depends on which softwarre. Apache? Ngnx? Dovecot? Postfix? Basically look for the configuration file of whatever software you're using and change 'cert.pem' to 'fullchain.pem' and you're good to go.

Try:
openssl s_client -connect www.thecollegeagency.com:443 \
-servername www.thecollegeagency.com

I see NO CHAIN:

---
Certificate chain
 0 s:CN = thecollegeagency.com
   i:C = US, O = Let's Encrypt, CN = R3
---
2 Likes

which part of the output would be helpful to diagnose?


CONNECTED(00000005)

depth=0 CN = [my domain]

verify error:num=20:unable to get local issuer certificate

verify return:1

depth=0 CN = [my domain]

verify error:num=21:unable to verify the first certificate

verify return:1


Certificate chain

0 s:CN = [my domain]

i:C = US, O = Let's Encrypt, CN = R3

The part between the first set of "---".
[Certificate chain]
Like:

---
Certificate chain
 0 s:/CN=community.letsencrypt.org
   i:/C=US/O=Let's Encrypt/CN=R3
 1 s:/C=US/O=Let's Encrypt/CN=R3
   i:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
 2 s:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3
---

@rg305 - any chance you are on the AWS Expert platform that I could hire you to fix my issue?

1 Like

No, sorry, I'm not available for any such engagement.

1 Like
---
Certificate chain
 0 s:CN = [my domain]
   i:C = US, O = Let's Encrypt, CN = R3
---