Renewal failures:34 [Certification path could not be validated]

Hi Sir
My server certifcation failed to renew, error information as below----->
Request failed - Failed to build certificate as PFX. Check system date/time is correct and that the issuing CA is a trusted root CA on this machine. :Certification path could not be validated. System.Exception: Failed to build certificate as PFX. Check system date/time is correct and that the issuing CA is a trusted root CA on this machine. :Certification path could not be validated.
at Certify.Providers.ACME.Certes.CertesACMEProvider.ExportFullCertPFX(String certFriendlyName, String pwd, IKey csrKey, CertificateChain certificateChain, String certId, String primaryDomainPath) in C:\Work\GIT\certify_dev\certify\src\Certify.Providers\ACME\Certes\CertesACMEProvider.cs:line 1299
at Certify.Providers.ACME.Certes.CertesACMEProvider.d__34.MoveNext() in C:\Work\GIT\certify_dev\certify\src\Certify.Providers\ACME\Certes\CertesACMEProvider.cs:line 1172
— End of stack trace from previous location where exception was thrown —
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Certify.Management.CertifyManager.d__17.MoveNext() in C:\Work\GIT\certify_dev\certify\src\Certify.Core\Management\CertifyManager\CertifyManager.CertificateRequest.cs:line 906
— End of stack trace from previous location where exception was thrown —
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Certify.Management.CertifyManager.d__16.MoveNext() in C:\Work\GIT\certify_dev\certify\src\Certify.Core\Management\CertifyManager\CertifyManager.CertificateRequest.cs:line 698
— End of stack trace from previous location where exception was thrown —
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Certify.Management.CertifyManager.d__14.MoveNext() in C:\Work\GIT\certify_dev\certify\src\Certify.Core\Management\CertifyManager\CertifyManager.CertificateRequest.cs:line 421
2021-10-28 08:33:04.014 +08:00 [INF] LiveProduction: Request failed - Failed to build certificate as PFX. Check system date/time is correct and that the issuing CA is a trusted root CA on this machine. :Certification path could not be validated. System.Exception: Failed to build certificate as PFX. Check system date/time is correct and that the issuing CA is a trusted root CA on this machine. :Certification path could not be validated.
at Certify.Providers.ACME.Certes.CertesACMEProvider.ExportFullCertPFX(String certFriendlyName, String pwd, IKey csrKey, CertificateChain certificateChain, String certId, String primaryDomainPath) in C:\Work\GIT\certify_dev\certify\src\Certify.Providers\ACME\Certes\CertesACMEProvider.cs:line 1299
at Certify.Providers.ACME.Certes.CertesACMEProvider.d__34.MoveNext() in C:\Work\GIT\certify_dev\certify\src\Certify.Providers\ACME\Certes\CertesACMEProvider.cs:line 1172
— End of stack trace from previous location where exception was thrown —
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Certify.Management.CertifyManager.d__17.MoveNext() in C:\Work\GIT\certify_dev\certify\src\Certify.Core\Management\CertifyManager\CertifyManager.CertificateRequest.cs:line 906
— End of stack trace from previous location where exception was thrown —
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Certify.Management.CertifyManager.d__16.MoveNext() in C:\Work\GIT\certify_dev\certify\src\Certify.Core\Management\CertifyManager\CertifyManager.CertificateRequest.cs:line 698
— End of stack trace from previous location where exception was thrown —
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Certify.Management.CertifyManager.d__14.MoveNext() in C:\Work\GIT\certify_dev\certify\src\Certify.Core\Management\CertifyManager\CertifyManager.CertificateRequest.cs:line 421

strange thing is I installed the App under C:\Program Files\CertifyTheWeb , there’s no folder named as C:\Work\GIT, the app version is 5.2.1.0, nobody changed anything . any suggestion would be appreciated. thanks.

You should worry more about the message it gave. The path is just the machine the program was built on.

Check system date/time is correct and that the issuing CA is a trusted root CA on this machine.

The first part, you need to check that your server is well NTP sync’ed.

The second part, which is more likely, is that the new CA root that Let’s Encrypt started using in September is not known by your server. Windows 7 era machines might not.

From your server, try MSIE/Edge/Chrome with this site as a quick test: https://valid-isrgrootx1.letsencrypt.org/
If it fails, it is certainly a problem. A more manual and surefire way of determining this is running certmgr.msc


If you are not able to find the above certificate on your system, this is probably why renewing is failing.

If you are using Let’s Encrypt as your cert issuer and you cannot find that CA installed, you will need to use a safe way of obtaining it. (This is security after all)

1 Like

Hi, a few things:

  • Your version is very out of date, please update now.
  • The PFX (certificate) is failing to build because the root certificate required is not present in your machines trusts store (Trusted Root Certification authorities). Installing the latest version will also fix this automatically because basic recent versions perform basic CA certificate maintenance.

As @jljtgr pointed out, the root cause is your local machine certificate store is not being automatically kept up to date (it should be), this is usually either because you block outgoing https and windows updates can’t communicate, or becuase your have a group policy setting which has disabled automatic CA root certificate updates (possibly set years ago).

I also had this when some smart cookie had decided to set the certs CA specifically to the expired root CA in the past for some reason.

thanks for responding, I have checked that ISRG RootX1 is there. I will try to upgrade to latest version first when maintenance window open.

We’e also assuming that you are using Let’s Encrypt but if so the log file will mention that, if you are trying to get a cert via ZeroSSL or BuyPass Go (for exmaple) you will need their root certs as well, the latest version auto installs those.

yes using let’s encrypt , anyway, after I updated the certifytheweb client, it’s successful of renewal. thank you guys. just wonder if this is limitation of community edition? since I started using only Feb this year, the client shouldn’t be outdated so quickly , is it.

No it’s not really a limitation of the client. The client is and was working fine, your server however was not configured to receive root certificate updates automatically from Microsoft, so you eventually could not build the certificate required using a recent root certificate. You either have a group policy that prevents that or your system is not receive updates from Microsoft (https blocked or it’s too old)…

The root certificate for Let’s Encrypt expired at the end of September, and all updated systems handled it correctly, but systems that are not receiving updates from Microsoft didn’t. As a workaround we updated Certify The Web to perform basic maintenance of some root certificates so that people wouldn’t have to learn how to update those themselves.