The subject in the current certificate is causing an issue.
- Server certificate:
-
subject: CN=lencr.org
It should be letsencrypt.org instead of lencr.org.
This is probably impacting a lot of people.
Hi @macckone welcome to the community!
That is an HTTPS example session, which works well. The certificate contains the domain name in its SAN section:
subjectAltName: host "letsencrypt.org" matched cert's "letsencrypt.org"
2 Likes
Some mirrors do not have the same certificate:
- About to connect() to letsencrypt.org port 443 (#0)
- Trying 34.194.149.67...
- Connected to letsencrypt.org (34.194.149.67) port 443 (#0)
- Initializing NSS with certpath: sql:/etc/pki/nssdb
- CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none - Server certificate:
-
subject: CN=lencr.org -
start date: Oct 10 03:00:44 2021 GMT -
expire date: Jan 08 03:00:43 2022 GMT -
common name: lencr.org -
issuer: CN=R3,O=Let's Encrypt,C=US - NSS error -8162 (SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE)
- The certificate issuer's certificate has expired. Check your system date and time.
- Closing connection 0
Curl is showing it as expired but it is the subject mismatch.
My date is correct but I am having the same issue.
date
Wed Dec 1 11:22:22 EST 2021
Doh, it is the R3 certificate that is expired that signed your certificate!
For me it was an outdated ca bundle.
2 Likes
It was probably the ISRG Root X1 signed-by DST Root CA X3 certificate in the chain which was causing some trouble and not the R3 intermediate. But indeed, often updating the CA bundle fixes this.
3 Likes
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.