R3 Intermediate certificate has expired

rg305 · September 30, 2021, 2:04pm

That depends...
What ACME client are you using?
What web service are you running?

ronilichtman · September 30, 2021, 2:05pm

ACME Client: Through Terraform. Specifically:

provider "acme" {
  server_url = "https://acme-v02.api.letsencrypt.org/directory"
}

Web Service: Containers running over GKE.

rg305 · September 30, 2021, 2:06pm

Can you show the lines of code that actually use the cert?

Osiris · September 30, 2021, 2:07pm

I don't know specifically, but the correct chain has been in use since May this year, so if automatic renewal didn't result in the correct chain earlier, forcing renewal NOW wouldn't fix it either.

ronilichtman · September 30, 2021, 2:11pm

Searching

mauriciopfl · September 30, 2021, 2:28pm

I have the same problem. I renewed my certificate and changed the web server to fullchain.pem generated by certbot on /etc/letsencrypt/live/.
Problem solved!!

ronilichtman · September 30, 2021, 2:36pm

Yup, appears to have been the same problem for me. Was using only the final certificate rather than the full chain.

Thanks everyone for the help!

alexzh16 · September 30, 2021, 3:20pm

today i have the same problem on linus servers. Resolve:
in the server with Web Server run:
certbot --delete
choice certificate where you can renew and choice 1: Attempt to reinstall this existing certificate.
than restart httpd or nginx

rg305 · September 30, 2021, 5:59pm

3 posts were split to a new topic: Win2016 R3 problem

MrWest · September 30, 2021, 5:37pm

Hi,

We also ran into problems last night, this might help someone out there:
Our setup:
•CentOS 7.x
•Kerio Connect 9.3.1 (Mailserver)
•Certbot to Auto Renew Certificates.
•A python Script to insert certificates into Kerio Connect after Certbot update.

Everything looked good and updating certificates without errors, but there were complaints about the expired certificate.

The problem is the INTERMEDIATE cert a stated in the subject of this thread.
It isn't updated by certbot, so we had to manually download it and put it in the right place on the server. We downloaded it and had to rename it from "lets-encrypt-r3.pem" to "lets-encrypt-r3.crt"
We put the certificate in: /opt/kerio/mailserver/sslca
After a reboot of Kerio Connect Mailserver everything works as expected and everybody was happy singing, dancing and reading all important spam-emails again.

Link to intermediade cert, change to .crt if necessary:
https://letsencrypt.org/certs/lets-encrypt-r3.pem

Hope this helps anyone.

Nummer378 · September 30, 2021, 5:40pm

That's a root certificate.

It is. You were probably using an incorrect configuration.

MrWest · September 30, 2021, 5:47pm

Yes, link changed, thanks!

I didn't care if the configuration was incorrect, I just wanted the f.....g thing to work.

Osiris · September 30, 2021, 8:04pm

Certbot just uses the chain provided by the ACME server. If there is any issue with the chain provided, it's probably user error, as currently there is no known issue with certbot and certificate chains.

tk6ix9ine · September 30, 2021, 9:06pm

Hello there,

For a few hours I have been having the same problem on some random navigators.

I have Nginx as an application server. Regenerate the certificate, I am using the fullchain certificate, I check the intermediate chain and it looks good (as in the examples above).

Certificate chain
 0 s:CN = janis.rocketpin.com
   i:C = US, O = Let's Encrypt, CN = R3
 1 s:C = US, O = Let's Encrypt, CN = R3
   i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
 2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1
   i:O = Digital Signature Trust Co., CN = DST Root CA X3
---

The same browsers with problems entering my site, have problems entering https://community.letsencrypt.org/

I would appreciate any ideas, I really don't know what else to try.

thanks for your help.

rg305 · September 30, 2021, 9:37pm

I see only:

---
Certificate chain
 0 s:/CN=janis.rocketpin.com
   i:/C=US/O=Let's Encrypt/CN=R3
 1 s:/C=US/O=Let's Encrypt/CN=R3
   i:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
---

Did you change something after that post?

rg305 · September 30, 2021, 9:37pm

Then the problem may be within those browsers / Operating Systems.
So which browser?
Which O/S?

JukkaUusisalo · September 30, 2021, 9:53pm

Thanks! That seems to be solution in my case.

jsha · October 1, 2021, 12:06am

A post was split to a new topic: Errors from browser-based email client

schoen · October 1, 2021, 1:27am

Just to be clear about this, Certbot updates the files in /etc/letsencrypt/live at every renewal (including a new CA-recommended trust chain). Many people use these files directly in their server applications.

If, however, you copy or migrate these files manually to another location, Certbot will no longer update that copy for you, unless you write a custom script using Certbot's --deploy-hook feature. If Certbot isn't updating it, your copy of the chain may get out of sync with the up-to-date copy that Certbot provides in /etc/letsencrypt/live.

phungld · October 1, 2021, 1:33am

Hi rg305,
My ACME client is WIN-ACME ver 2.1.10.896.
We are deploying the website on Windows/IIS, how can I remove this certs?
Thank you very much for your help.
Regards
Phung.