Www.ssllabs.com is showing a missing Certificate

I been tryng www.ssllabs.com and checking my certificate and I am getting an error.
CRL ERROR: HTTP request failed with status code 404: http://crl.identrust.com/DSTROOTCAX3CRL.crl

However then I checked https://community.letsencrypt.org with that site and it has the same error. Can I trust www.ssllabs.com or is there an underlying error

screenshot from https://community.letsencrypt.org

I am getting the same error. Both of those errors are causing my websockets on my Django website not to connect for Mac users.

I am getting the same result on the SSLlabs server test. It seems to me that there is a bug on their end, as ISRG Root X1 has nothing to do with identrust.com...

The DST Root CA X3 certificate (from IdenTrust), which has cross-signed the ISRG Root X1 certificate that Let's Encrypt uses, has expired, but is still part of the "default" chain for compatibility with old Android version. But as it's expired, IdenTrust is no longer publishing the CRL for it. But this shouldn't matter, unless somewhere there's a client that is trying to check the CRL of an expired certificate. I find it unlikely that the missing CRL would be causing any actual problems, unless you're actually seeing a client giving some message saying so. SSLLabs is just correctly reporting that the root is expired, and has a missing CRL, but that should be irrelevant to most actual use cases.

4 Likes

image
Regardless of the status of this path, if "Path #1" is valid and that chain is being provided, then clients should be connected via "Path #1" without issue.

3 Likes

It Caused a problem with some python code that uses URL Lib.

2 Likes

@tomturner

  • Is the chain from "Path #1" being served?
  • Have you resolved that python/urllib problem?
    If so, can you provide a clearer picture of the problem and the solution you used?
2 Likes

10 posts were split to a new topic: Urllib3 not working

2 posts were merged into an existing topic: Urllib3 not working

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.