R3 Intermediate certificate has expired

What is the version of the apache web server?

2 Likes

Check your Apache config.
Highly likely that is isn't doing exactly what you want it to.
I'd start with the output of:
sudo apachectl -t -D DUMP_VHOSTS

1 Like
Server version: Apache/2.4.6 (CentOS)
Server built:   Nov 16 2020 16:18:20

When did you last restart Apache and are there multiple certificate entries in the fullchain.pem text file?

On that version (and earlier) you have to use the SSLCertificateChainFile statement. The SSLCertificateFile accepts only one certificate.

3 Likes

That is correct, linking a thread with more info about the topic:

2 Likes

Thank you for the link to this good article!
I e-mail the link to the Apple product security team, as they sure have a lot to learn from it. Building the certificate trust chain on macOS 11.6 is obviously broken.

I am encountering the same issue. How did you force a renewal?

Forcing renewal is NOT necessary for chain issues. The certificate and the signing intermediate would be IDENTICAL. Please don't force renewal for this kind of issues.

1 Like

How would you resolve this issue then? My website is sending faulty certificate chains (with the expired DST Root CA) to some users and the correct one (with ISRG Root) to others.

That depends...
What ACME client are you using?
What web service are you running?

2 Likes

ACME Client: Through Terraform. Specifically:

provider "acme" {
  server_url = "https://acme-v02.api.letsencrypt.org/directory"
}

Web Service: Containers running over GKE.

Can you show the lines of code that actually use the cert?

2 Likes

I don't know specifically, but the correct chain has been in use since May this year, so if automatic renewal didn't result in the correct chain earlier, forcing renewal NOW wouldn't fix it either.

2 Likes

Searching

I have the same problem. I renewed my certificate and changed the web server to fullchain.pem generated by certbot on /etc/letsencrypt/live/.
Problem solved!!

1 Like

Yup, appears to have been the same problem for me. Was using only the final certificate rather than the full chain.

Thanks everyone for the help!

1 Like

today i have the same problem on linus servers. Resolve:
in the server with Web Server run:
certbot --delete
choice certificate where you can renew and choice 1: Attempt to reinstall this existing certificate.
than restart httpd or nginx

3 posts were split to a new topic: Win2016 R3 problem

Hi,

We also ran into problems last night, this might help someone out there:
Our setup:
•CentOS 7.x
•Kerio Connect 9.3.1 (Mailserver)
•Certbot to Auto Renew Certificates.
•A python Script to insert certificates into Kerio Connect after Certbot update.

Everything looked good and updating certificates without errors, but there were complaints about the expired certificate.

The problem is the INTERMEDIATE cert a stated in the subject of this thread.
It isn't updated by certbot, so we had to manually download it and put it in the right place on the server. We downloaded it and had to rename it from "lets-encrypt-r3.pem" to "lets-encrypt-r3.crt"
We put the certificate in: /opt/kerio/mailserver/sslca
After a reboot of Kerio Connect Mailserver everything works as expected and everybody was happy singing, dancing and reading all important spam-emails again.

Link to intermediade cert, change to .crt if necessary:
https://letsencrypt.org/certs/lets-encrypt-r3.pem

Hope this helps anyone.