My domain is: crt.sh | 6401694660
My web server is: Apache 2.4.51
The operating system my web server runs on is: openSUSE 15.3
I can login to a root shell on my machine: Yes
I'm using a control panel to manage my site: No
The version of my client is: python2-certbot-1.4.0
This certificate has been running fine since installation, as have all previous renewals. In our Apache config, we set
SSLCertificateFile to the
fullchain.pem file that is provided by Let's Encrypt. That file contains these three certificates in this order (I'm showing decoded snippets, the file contains PEM obviously):
#1 Certificate: Data: Version: 3 (0x2) Serial Number: 03:95:c4:28:bb:82:76:f6:16:2e:ae:f7:0c:1e:4b:a3:e1:39 Signature Algorithm: sha256WithRSAEncryption Issuer: C = US, O = Let's Encrypt, CN = R3 Validity Not Before: Mar 24 01:03:18 2022 GMT Not After : Jun 22 01:03:17 2022 GMT Subject: CN = test.cookc.patientexp.com #2 Certificate: Data: Version: 3 (0x2) Serial Number: 91:2b:08:4a:cf:0c:18:a7:53:f6:d6:2e:25:a7:5f:5a Signature Algorithm: sha256WithRSAEncryption Issuer: C = US, O = Internet Security Research Group, CN = ISRG Root X1 Validity Not Before: Sep 4 00:00:00 2020 GMT Not After : Sep 15 16:00:00 2025 GMT Subject: C = US, O = Let's Encrypt, CN = R3 #3 Certificate: Data: Version: 3 (0x2) Serial Number: 40:01:77:21:37:d4:e9:42:b8:ee:76:aa:3c:64:0a:b7 Signature Algorithm: sha256WithRSAEncryption Issuer: O = Digital Signature Trust Co., CN = DST Root CA X3 Validity Not Before: Jan 20 19:14:03 2021 GMT Not After : Sep 30 18:14:03 2024 GMT Subject: C = US, O = Internet Security Research Group, CN = ISRG Root X1
Note: the last certificate in the chain is the version of
ISRG Root X1 that is cross-signed by the expired
DST Root CA X3. I know that shouldn't matter, but see below...
There is another Windows machine on the network that communicates with this machine via HTTPS, and that has been working fine until that Windows machine was updated a few days ago (our Apache server was not changed at all).
After the update, the Windows machine started failing HTTPS connections due to error validating the certificate.
In the heat of the moment, we fixed this problem by installing the
ISRG Root X1 intermediate certificate into the Windows "Intermediate Certification" folder. After doing that, things immediately started working so the problem was resolved - but not fully understood.
Afterwards, we verified that the Windows machine does have the
ISRG Root X1 certificate installed in its "Trusted Root Certifications" folder, but it has the self-signed version, whereas the version we are providing in
fullchain.pem (which comes directly from certbot) is the version cross-signed by the (expired)
DST Root CA X3.
So the immediate problem is resolved, but the lingering question is: why did Windows fail to validate the certificate in the first place when
ISRG Root X1 was in
fullchain.pem and in the Windows certificate store?
Does it have something to do with the fact that the two certificates were different variants, one self-signed, while the other was cross-signed by an expired cert? Obviously that shouldn't matter...
Has anyone else run into a similar sounding situation?
Thanks for any insights.