Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
My domain is:
If I ran SSL checks (on several tools) all checks are valid
But if I make a call to a POST to an API on our domain we recieve the following error:
cURL error 60: SSL certificate problem: certificate has expired
If I run POSTMAN it also issues a certificate expired error.
Hi, This is most likely related to the expiration of the DST X3 root certificate.
Your server is correctly providing the certificate chain Let's Encrypt recommended, however it seems that this chain works less well than it was intended to.
You can switch to a chain that avoids using DST Root X3 by first making sure certbot is updated to version 1.12.0 or newer, and then adding the command line flag
--preferred-chain "ISRG Root X1" when requesting a certificate.
What devices is that site not working on? I can see that it is serving the chain without DST Root X3, so it should work most devices except Android lower than version 7. You may also need to restart your device.
What you have on your side with ISRG Root X1 at the top is correct, and is the certificate your server is currently serving.
The certificate in your other screenshot, DST Root X3, is no longer being sent by your server and so should not cause any further problems. If it's still appearing on devices, try restarting the browser or even the whole device, as it appears to have cached the old certificate.
For instance if i use POSTMAN to POST to some of our APIs we get Certificate has expired
@Lapa, your site is currently serving this chain:
*.taming.io < R3 < ISRG Root X1
This will work for all the devices listed here: Certificate Compatibility - Let's Encrypt
That screenshot you added of macOS el capitan is older than macOS 10.12.1, which is the oldest version that includes ISRG Root X1. The only way to get a Let's Encrypt certificate to work on macOS El Capitan is to manually add ISRG Root X1 to the trust store.
Thank you very much! But this is a terrible news for me, I can't ask to hundred of my users to do such thing... It's way too complex. And it was working fine just 2 days ago. What should I do?
Do you think there is some more "lenient" certificat to create? I can't prevent a good part of my users to use my website because of a certificate...
Well a lot of your users' devices are probably new enough to include ISRG Root X1, but if you do have a large number of users using very old devices for some reason that don't include it, then your only option would be to get a certificate from a different certificate authority, though this will only move the problem a few years down the road.
Once an old device stops receiving software updates, it is only a matter of time before it stops working, that's just the reality these days.
hah thanks... Any suggestion?
Buypass also offers free certificates via the ACME protocol like Let's Encrypt. Their root certificate has been around since 2010, so it's likely to be supported fairly well.
Thanks a lot, I'll look into it.
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.