Unable to get local issuer certificate / Certificate period has expired

My domain is: www.cloner.cl / zifre.cloner.cl

I ran this command: openssl s_client -servername $anyserverusingLE -connect $anyserverusingLE:443

It produced this output: Code 20 Unable to get local issuer certificate / Code 10 Certificate period has expired

My web server is (include version): nginx/1.10.3 (Ubuntu)

The operating system my web server runs on is (include version): Ubuntu 16.04.7 LTS

My hosting provider, if applicable, is: digitalocean

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 0.31.0

Hello,

We have a lot of clients that connect to our servers. Recently, a few of them with older Ubuntu versions (16.04.3 and 12.04.5) couldn't validate the certificate correctly through OpenSSL.

The question is, did something change recently (recent days/weeks) that these obsolete OS couldn't validate any certificate of any site that uses LE? Because they stopped working all of a sudden.

Yes, i didn't only try our own servers, i also tried letsencrypt.org and it returned Error Code 10.
I tried to validate through other cert authorities and they all seemed to work.

We just want to get details of this issue so we can communicate properly to our clients and not just tell them to upgrade.

Hi @blad0506, and welcome to the LE community forum :slight_smile:

The cert being served by cloner.cl and the redirected site ("wp.cloner.cl") are issued by cPanel.
If there is a problem with their chain or root, there is nothing we can do about it here.

If there is another FQDN, that is using an LE cert and shows this problem, then please provide it.

2 Likes

Ubuntu 16.04 LTS is in "Extended Security Maintenance" mode currently, as it's rather old. This might mean you don't have a correct OpenSSL version installed. You might have OpenSSL 1.0.2 installed which has trouble with the "long chain" which is used for Android support, which includes an intermediate chained up to an expired root certificate.

It also might be your Ubuntu version is too old to have the ISRT Root X1 root certificate in its root cert store.

2 Likes

Sorry. I didn't type correctly our domains which are www.cloner.cl and zifre.cloner.cl
(I edited the original post too).

1 Like

Nothing changed with the certs in the past days/weeks. There was a change in Sept 2021 as one of two intermediate certs expired. You are using the "long chain" so have this expired cert (as does this forum's website). And, this can confuse older openssl versions depending on their CA Root store. If this really is a recent change this is unlikely to be the cause. But, further reading below might help anyway

3 Likes