Renewal issue mac osx https

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. |, so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:

It produced this output:

My web server is (include version):
The operating system my web server runs on is (include version):
OSX 10.11.5
My hosting provider, if applicable, is:
I can login to a root shell on my machine (yes or no, or I don't know):
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):


I have the issue on all mac servers that the R3 isnt tusted an no devices can conect to the server
people suggest pointing to the fullchain.pem ? ? but i do not have this after trying to renew the files ai have are
-rw-r--r-- 1 admin staff 3751 11 Aug 00:15 ca.cer
-rw-r--r-- 1 admin staff 5658 11 Aug 00:15 fullchain.cer
-rw-r--r-- 1 admin staff 1907 11 Aug 00:15
-rw-r--r-- 1 admin staff 649 11 Aug 00:15
-rw-r--r-- 1 admin staff 1041 11 Aug 00:15
-rw-r--r-- 1 admin staff 252 11 Aug 00:15
-rw-r--r-- 1 admin staff 1675 17 Aug 2020

The server itself says DST Root CA X3 "certificate has expired"
none of the exchange mail clients on phone or using browser can login to the webserver help !

The content of your fullchain.cer might be the same as we are expecting in fullchain.pem - it should contain the PEM-encoded chain of certificates from issued by our R3 intermediate, the intermediate itself issued by our X1 root, and that root, issued by DST3.

Try this command, and paste the output:
openssl crl2pkcs7 -nocrl -certfile "fullchain.cer" | openssl pkcs7 -noout -print_certs

1 Like

It did, all i had to do was change the import to point to fullchain.cer and all was gravy on all platforms, thanks so much, moving forward will this need to change back ? Is it a temporary measure?

The answer here depends heavily on the platform of those connecting to your site. Our root X1 is directly trusted in the largest root stores. We aim for our root X2 to be the same. Different platforms have different methods and timelines of updating their trusted root stores. So I would like to hope that this is temporary - but it depends on how long you would like to support the long-tail of your client's platforms.

our clients are mac on old OS and new .... :grimacing:

I'm an artist who runs their own website and this issue has taken up my whole day. I know nothing about code or ssl or any of this kind of stuff. I just need my website to work because I'm losing sales. Help!!! Everyone I know with an Apple product can't access my site. If I buy a completely new SSL and install it own google who hosts my website,
will this fix the problem?

what is the site name ?

It still works on non apple products

If you have access to the HOSTING provider this is the peoeple that host your WWW files, you need to ask them to import the fullchain.pem or fullchain.cer of the existing certificate to get you back on your feet immediately ...

1 Like

This resolved my issue specifically for apple products

1 Like

It might fail on older Androids though:

Certificate chain
 0 s:/
   i:/C=US/O=Let's Encrypt/CN=R3
 1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3

That chain should look like this EXAMPLE:

Certificate chain
 0 s:/
   i:/C=US/O=Let's Encrypt/CN=R3
 1 s:/C=US/O=Let's Encrypt/CN=R3
   i:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
 2 s:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3

And I'm pretty sure other clients are having troubles too.
See: SSL Server Test: (Powered by Qualys SSL Labs)

I just figured out that because I use a third party app to connect my domain name and Etsy account, I can't update anything.

Do you pay for hosting?


I've been on the phone with GoDaddy for hours and they say they can't fix it. It's with Etsy's 3rd party app - Pattern because that's where my website template is.

1 Like

I think I'm just gonna start over and rebuild my website.

1 Like

Best of luck :slight_smile:

1 Like

if you are PAYING etsy / Pattern i suggest you get them to sort it out - this is why you pay them ans they provide a service, It shouldnt be on you to re-do your whole site ...


use their support contact


Now I see two IPs...


But they both don't "work" (for different reasons).

1 Like