Site no longer works on old versions

My domain is: combien.online
My web server is (include version): nginx 1.19.6
The operating system my web server runs on is (include version): debian 9
I can login to a root shell on my machine : yes
The version of my client is : certbot 0.28.0

Hi!

My site is working properly, but since October 1st, users with old versions of Firefox (Firefox/45.0) or old version of Mac OS X (Mac OS X 10_11_6) can't access it anymore, they have an expired certificate error.

So I tried to install Firefox version 45 on a Macbook (up to date) and I have indeed a SSL error " SEC_ERROR_EXPIRED_CERTIFICATE" .

Everything had been working for years without a problem, this has been happening for 8 days.

Any idea how to fix this?
Thank you

2 Likes

Isn't that site behind CloudFlare?

Name:      combien.online
Addresses: 2606:4700:3030::ac43:9665
           2606:4700:3037::6815:47e3
           172.67.150.101
           104.21.71.227

Aside from having CF issue another cert, have you checked on upgrading the client systems?
Mac OS X 10.12 or higher should work.

From what date?

2 Likes

Yep! But I have another site with let's encrypt installed on my server (certbot) that has the same problem since October 1st.

Since October 1st, about 20 people have contacted me to report this on my different sites (all on different servers, some with cloudflare, and others not).

With the test I did, I am on Mac Big Sur 11.6 and Firefox 45.

The problem is that it's my users who are experiencing this problem, not me. On my side, everything is up to date. I just installed this version of Firefox to reproduce the problem.

The problem has been occurring for a few days. There is no "fix" on my side to support the old versions except to say to update for those who manage to contact me?

1 Like

I understood that it was linked to this update: DST Root CA X3 Expiration (September 2021) - Let's Encrypt

And that we need a recent version of certbox to regenerate the certificate with the parameter --preferred-chain "ISRG Root X1" (I will have to fill in this parameter every month during the certificate update check?)

Can someone confirm this?

1 Like

Version 1.12.0 of certbot (OR a patched version certbot-1.11.0-2.el7 from Fedora EPEL 7) is required for the --preferred-chain functionality. When a certificate has been successfully issued with that option on the command line, the option is stored in the renewal configuration file for that specific certificate. So after a successful issuance you won't need to use it again for that cert.

4 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.