Mac devices (iphone etc.) show cert problem as a new problem after years of functioning perfectly since end of September on my domain, but not on other lets'encrypt encrypted domains.
I know the root cert was exchanged, so I compared the cert of https://shop.bbc.com/ with mine https://support.webboard.org and found out there is not much difference, my public cert is even the doubled bit size.
Why are these errors only on my page when visiting with apple devices but not on other domains using letsencrypt? I already issued a new cert but it doesn't help.
Your site is serving the "short chain". The shop.bbc.com is serving the "long chain". You must have chosen the alternate chain to do that.
Yours:
Certificate chain
0 s:/CN=webforum.eu
i:/C=US/O=Let's Encrypt/CN=R3
1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
i:/O=Digital Signature Trust Co./CN=DST Root CA X3
(Note: The domain you listed shows in the SAN list)
Compare to:
Certificate chain
0 s:/CN=shop.bbc.com
i:/C=US/O=Let's Encrypt/CN=R3
1 s:/C=US/O=Let's Encrypt/CN=R3
i:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
2 s:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
i:/O=Digital Signature Trust Co./CN=DST Root CA X3
You have nginx responding to http requests which issues a redirect to Apache for https port 443. The Apache cert definitions have the old style ChainFile. And, the acme client is LE32 which I am not familiar with. Apache and LE32 running on Windows and nginx on Ubuntu (per its server header anyway).
Hopefully someone else with more experience in these areas can give instruction. Sorry
@Reinhard While waiting for someone else to assist you might have some luck with the LE32/64 github - in case you were not aware of it.
You ultimately want a chain that looks like the bbc site you showed. Use a site like this one to view the cert chain you actually send. https://www.sslshopper.com/ssl-checker.html
|### The certificate is not trusted in all web browsers. You may need to install an Intermediate/chain certificate to link it to a trusted root certificate. Learn more about this error. The fastest way to fix this problem is to contact your SSL provider.|
LE32 is the newest 0.38.0.0 which I updated before issuing a new cert.
Yes, your ACME client should output a chain file you can use that should include at least the R3 intermediate (so that mac os clients don't have to guess the R3).
I'm not familiar with Crypt-LE but typical output of an ACME client for use with Apache will be :
A single certificate (this is your own certificate)
A set of one or more intermediate certificates (sometime called CA, or chain)
a "full chain" - including your cert, all the intermediates and possibly the root.
I'd suggest looking at other ACME clients long term. Windows options which can output files suitable for Apache include Certbot, Certify The Web and win-acme
Because browsers see the cert chain from your server but then make their own and show you what they did. They do this to adapt to poorly configured servers and other reasons. It depends on the browser, its version, and the system state as to how well this works. Not all browsers do it the same. Confusing I know.
You must use something like openssl or websites like sslshopper to see the chain your server actually sends.
|### One of the root or intermediate certificates has expired (28 days ago).|
Common name: R3 Organization: Let's Encrypt Location: US Valid from October 7, 2020 to September 29, 2021 Serial Number: 400175048314a4c8218c84a90c16cddf Signature Algorithm: sha256WithRSAEncryption Issuer: DST Root CA X3
@rg305 LE could have been clearer when updating the chain page. Instead of moving that cross-sign to the Retired section they left it in the Active section with a notation of retired after.
@Reinhard Rudy is right though, it is retired so use an active one.
IdenTrust has cross-signed our RSA intermediates for additional compatibility.
Active
Let’s Encrypt R3 (RSA 2048, O = Let's Encrypt, CN = R3)
Signed by ISRG Root X1: der, pem, txt
Cross-signed by IdenTrust: der, pem, txt (Retired)
What I still wonder, my server.crt holds all 3 certificates (server, intermediate, root) since this is what my LE client fetches at update times. So why do I explicitly have to state an intermediate cert in my apache's htaccess? I tried it without, but it won't work.
Trying to understand that because I still have trouble with hMailServer where intermediate certificates cannot be configured explicitly and the full chain prodvided in the server.crt (3 cert in 1) fails at iphone mail client.