Hello, my SSL certificate appears to be invalid on some systems and it is asking the user to accept the risk or go back
the date is correct and the browser is the latest version
My domain is: https://breastcancerpayments.com/
I ran this command:
sudo systemctl status certbot.timer - to confirm my auto renewal is working perfectly fine and the output came correct
sudo certbot renew --dry-run - to simulate the auto renewal and the test went good
sudo certbot --apache - to manually renew the SSL cert and it was successfully expanded
But the problem still persist on the systems
My web server is (include version): Ubuntu 18.04.2 LTS
The operating system my web server runs on is (include version):
My hosting provider, if applicable, is: AWS
I can login to a root shell on my machine (yes or no, or I don't know): Yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel): I SSH using PuTTY
The version of my client is (e.g. output of
certbot --version or
certbot-auto --version if you're using Certbot): certbot 0.31.0
Hi @PeterChijioke11 and welcome to the LE community forum
Does your renewal process include a restart, or reload, of the
Yes, I have also done that manually.
Please show the output of:
[I suspect you will find overlapping certs]
Yes, what @rg305 says but also did you try just restarting Firefox? Sometimes browsers cache prior cert chains. Based on your statement that you "expanded" the cert maybe you did not have the
www name in your prior cert?
Right now your server is sending a cert with both apex and www names in the same cert using either domain name in the request - so all seems fine.
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Found the following certs:
Certificate Name: breastcancerpayments.com
Domains: breastcancerpayments.com www.breastcancerpayments.com
Expiry Date: 2022-03-24 12:43:36+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/breastcancerpayments.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/breastcancerpayments.com/privkey.pem
The problem appears to just occur on some systems, so some site visitors might not experience this, which makes it kind of hard to debug
Yes, it does make it harder. Can you be more specific on what oper sys and browsers you see the error? Also the version numbers of each. Do they show the same error that you show in your sample? Your sample screen was for Firefox (as best I could tell).
The error message you show indicates you requested the
www.breastcancerpayments.com site in url but the cert was only for
breastcancerpayments.com. As I note, right now your site sends a cert with both names for requests to either domain name.
You can see this yourself using a site like this - try both names:
(look at SANs item)
Let me get the system and browser version details from my client
And exact error message please
For the exact error message, here is a screenshot
Ok, that's different than the one you showed earlier. We need to know the oper sys and browser version numbers to be more specific with advice. thanks
Please let your client check the date and time of their computer, as the certificate is perfectly valid.
Note: that's the screenshot before I did a manual renew to see if the issue will be resolved
As for the system and browser data
Windows: server 2008 R2
Yes, it is working perfectly fine on all my browsers but the client is still experiencing the same issue.
Did your client already check their computers date setting?
Oh, a Windows Server 2008 client? It is probably objecting to the
DST Root CA X3 in the "long chain" your server is using. Starting Oct 1 of this year Let's Encrypt now has two chains - a long and a short as the DST Root expired on Sept 30. This is probably the cause of the expired message from the Windows Server.
Can that client access this
https://letsencrypt.org ? It uses the same cert chain as your site - it should fail with same error. If so, it confirms this as the problem.
Windows Server is funny about certs sometimes. There are some options but let's confirm this first.
Okay, I will give you a feedback shortly
Why would Windows say the end leaf certificate is invalid? That doesn't make any sense if it's a chain issue.. The error should make that clear.
No, it doesn't. But, I am pretty sure we have seen browsers show just the leaf in the Details page even for chain problem errors shown more prominently in the browser window.
The message on this detail page makes no sense for the leaf. Their clock would have to be off by days for the cert to be "not yet valid" and certainly is not expired. We will know more soon as we gather more info.