R3 Intermediate certificate has expired

hmm...
If you are in a hurry/emergency state, I guess I would have to go to "in case of emergency break glass"...
And have you try to switch to another free CA until this problem is resolved.

1 Like

Is is a publicly accessible website?

1 Like

Yes - www.thecollegeagency.com

That depends on which softwarre. Apache? Ngnx? Dovecot? Postfix? Basically look for the configuration file of whatever software you're using and change 'cert.pem' to 'fullchain.pem' and you're good to go.

Try:
openssl s_client -connect www.thecollegeagency.com:443 \
-servername www.thecollegeagency.com

I see NO CHAIN:

---
Certificate chain
 0 s:CN = thecollegeagency.com
   i:C = US, O = Let's Encrypt, CN = R3
---
2 Likes

which part of the output would be helpful to diagnose?


CONNECTED(00000005)

depth=0 CN = [my domain]

verify error:num=20:unable to get local issuer certificate

verify return:1

depth=0 CN = [my domain]

verify error:num=21:unable to verify the first certificate

verify return:1


Certificate chain

0 s:CN = [my domain]

i:C = US, O = Let's Encrypt, CN = R3

The part between the first set of "---".
[Certificate chain]
Like:

---
Certificate chain
 0 s:/CN=community.letsencrypt.org
   i:/C=US/O=Let's Encrypt/CN=R3
 1 s:/C=US/O=Let's Encrypt/CN=R3
   i:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
 2 s:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3
---
1 Like

@rg305 - any chance you are on the AWS Expert platform that I could hire you to fix my issue?

1 Like

No, sorry, I'm not available for any such engagement.

2 Likes
---
Certificate chain
 0 s:CN = [my domain]
   i:C = US, O = Let's Encrypt, CN = R3
---

That should look like (the EXAMPLE):

---
Certificate chain
 0 s:/CN=community.letsencrypt.org
   i:/C=US/O=Let's Encrypt/CN=R3
 1 s:/C=US/O=Let's Encrypt/CN=R3
   i:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
 2 s:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3
---
1 Like

understood. however, that's what it says. is there some settings in certbot to get those other options with the ISRG?

certbot should have all the files you need.
Please show:
certbot certificates

1 Like
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
  Certificate Name: [my domain]
    Serial Number: 4d982316ab86d520aa3a1a53f5d4f60b1b8
    Key Type: ECDSA
    Domains: [my domain]
    Expiry Date: 2021-12-28 21:08:46+00:00 (VALID: 89 days)
    Certificate Path: /etc/letsencrypt/live/[my domain]/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/[my domain]/privkey.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

now obviously i'm blocking out my real domain with [my domain] if that's particularly crucial I can add it

I also have a couple of wild-card certificates which expire on 27th of October but appear to be signed by the just expired R3. I immediately generated new certificates, though the issue remained: both Safari and Chrome on macOS show the expired path for the brand new certificates, while Chrome on Windows 10, and Firefox show the valid path and work. The solution: I changed my web server to provide a full chain of trust.

Not required (at this point).
Now you need to review the web server.
It needs to be using the file:

2 Likes

NOT possible; That's Windows (or your browser) messing with you.

It was probably not serving any chain at all.
Yes, it is always recommended to use the full chain :slight_smile:

3 Likes

Correct, I just implemented full chain support on my web server, and macOS instantly started working. But without it, macOS prefers the broken chain and hence the many incidents tonight. :slight_smile:
How do web browsers work when no chain is provided? I would assume they look-up intermediate and root CA based on name, and perhaps cached data?

unbelievable. my custom REST server's code was not pointing to the fullchain. That worked. I'm sorry for wasting your time and thank you for your patience in helping me walk through this.

2 Likes

They first look at the cert, which usually has a pointer, then in their cache, etc.
They will generally come up with something - it just isn't always the right path.

3 Likes