Hi,
We got a load of SSL warnings from our sites yesterday, and it looks like they all have well in date certs, but they are all using the Lets Encrypt DST Root CA X3 and the intermediate R3 that will expire in < 1 week.
I’ve even just create a new site and new cert via certify the web and openssl.exe s_client -connect my.new.site:443
is still showing:
Certificate chain
0 s:CN = my.new.site
i:C = US, O = Let's Encrypt, CN = R3
1 s:C = US, O = Let's Encrypt, CN = R3
i:O = Digital Signature Trust Co., CN = DST Root CA X3
This is all on Windows with IIS. Do I need to manually install the new ISRG Root X1 manually on the server somehow? I’ve been reading thread after thread here and elsewhere and I’ve not been able to work it out.
update: Even after upgrading to 5.5.4 and rebooting - the ISRG Root X1 is now there, but requesting a new cert still appears to use the old chain
Is openssl still reporting the old chain or is it windows? If it’s windows, you can ignore that (it’s specific to the machine you are on and which R3 intermediate it chooses to follow).
If openssl says you still have the old chain that’s different.
Feel free to open a support ticket if you don’t want to share your domain here.
Apologies - I realize I never followed up on this.
OpenSSL kept reporting the old chain and the windows “show certificate” would return different chains depending on how you got to that dialog box.
The basic remedy we propose is you install the latest version of the Certify The Web app, which remove the need for you to do other certificate store maintenance, then you reboot your server to clear cached chains.
You can check your served certificate chain (which can be different to the chain that the client decides to use) using https://chainchecker.certifytheweb.com/ - as you know clients with out of date trust stores will continue to have issues, so if you need to you can optionally change certificate authority in the app: Certificate Authorities | Certify The Web Docs (e.g. to ZeroSSL)