Root certificate expired

My domain is: mailpanda.com, webpowerchina.com

I used library "Certes", which are provided in the website to generate the SSL Certificates. The certificates are generated some minutes ago.

In some PC, the sites working fine. In most of the mobile, it failed.

The tool on this page: SSL Checker

Report that:
Common name: R3
Organization: Let's Encrypt
Location: US
Valid from October 7, 2020 to September 29, 2021
Serial Number: 400175048314a4c8218c84a90c16cddf
Signature Algorithm: sha256WithRSAEncryption
Issuer: DST Root CA X3

Hi @zguoqi and welcome to the LE community forum

There are two possible changes and either could improve that:

• switch from the default/longer chain to the alternate/shorter
• switch from using LE to another (free) CA that supports ACME protocol

How either of those are done with "Certes", I don't know exactly...
[but they should be possible, and we can search for how easily]

Certes only supports Lets encrypt. And I do not see the method to "alternate/shorter";

https://docs.certes.app/CLI.html

Do you know in which stage, I can do this:

• switch from the default/longer chain to the alternate/shorter

Any one know how to issue certificate without this DST Root CA X3?

@zguoqi Your webpowerchina.com site is using a very old "R3" chain:

Certificate chain
 0 s:/CN=webpowerchina.com
   i:/C=US/O=Let's Encrypt/CN=R3
 1 s:/C=US/O=Let's Encrypt/CN=R3
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3

See this for an explanation of the two current chains. You should choose one of these.

Please answer the other questions you were shown when posting. This will help us guide you better. Thank you

=============================================
Please fill out the fields below so we can help you better.

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

Same for the other mentioned domain:

---
Certificate chain
 0 s:CN = mailpanda.com
   i:C = US, O = Let's Encrypt, CN = R3
 1 s:C = US, O = Let's Encrypt, CN = R3
   i:O = Digital Signature Trust Co., CN = DST Root CA X3
---

That chain hasn't been provided since May 2021.
Something may be hard-coded to use it (bad practice).

Thanks so much for your help.
------ my info --------------
My web server is (include version): kestrel self hosted.
The operating system my web server runs on is: ubuntu 20.04
My hosting provider, if applicable, is: AliCloud
I can login to a root shell on my machine: YES
I'm using a control panel to manage my site: self made CMS.
The version of my client is: Certes.
----- end ---------------

I checked the source of the library I am using and in deed, I found out some hard coded root certificates. They are "isrg-root-x1.pem", "fake-le-root-x1.pem", "dst-root-ca-x3.pem".

I do not know why it need to hard code those, how should I do this? can I get the latest pem file to update?

You really shouldn't be hard-coding the chain. [it can change at any time]
Certes should be providing the current chain.
If you can't find it, you can get it online several ways.
One way is using: crt.sh | example.com
Then click the link "Issuer:" (in the "Certificate:" section).
That will show you all the certs issued by that issuer.
Then click the first certificate number.
Then download the "PEM" file version of that cert (bottom left link)

For issuer "R3", the current cert is:
crt.sh | 3334561879
PEM

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.