Unable to validate certificate

The subject in the current certificate is causing an issue.

  • Server certificate:
  •   subject: CN=lencr.org
    

It should be letsencrypt.org instead of lencr.org.
This is probably impacting a lot of people.

Hi @macckone welcome to the community!

That is an HTTPS example session, which works well. The certificate contains the domain name in its SAN section:

subjectAltName: host "letsencrypt.org" matched cert's "letsencrypt.org"
2 Likes

Some mirrors do not have the same certificate:

  • About to connect() to letsencrypt.org port 443 (#0)
  • Trying 34.194.149.67...
  • Connected to letsencrypt.org (34.194.149.67) port 443 (#0)
  • Initializing NSS with certpath: sql:/etc/pki/nssdb
  • CAfile: /etc/pki/tls/certs/ca-bundle.crt
    CApath: none
  • Server certificate:
  •   subject: CN=lencr.org
    
  •   start date: Oct 10 03:00:44 2021 GMT
    
  •   expire date: Jan 08 03:00:43 2022 GMT
    
  •   common name: lencr.org
    
  •   issuer: CN=R3,O=Let's Encrypt,C=US
    
  • NSS error -8162 (SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE)
  • The certificate issuer's certificate has expired. Check your system date and time.
  • Closing connection 0

Curl is showing it as expired but it is the subject mismatch.

My date is correct but I am having the same issue.
date
Wed Dec 1 11:22:22 EST 2021

Doh, it is the R3 certificate that is expired that signed your certificate!

For me it was an outdated ca bundle.

2 Likes

It was probably the ISRG Root X1 signed-by DST Root CA X3 certificate in the chain which was causing some trouble and not the R3 intermediate. But indeed, often updating the CA bundle fixes this.

3 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.