Website certificate has expired from r3

cblaze22 · September 29, 2021, 7:45pm

I am getting “website certificate has expired from r3” for my website but my certificate looks to be up to date. What is going on here?

rmbolger · September 29, 2021, 7:57pm

What is your website?

cblaze22 · September 29, 2021, 7:59pm

I think I may of fixed it, did the software update, and a manual renewal.

rmbolger · September 29, 2021, 8:29pm

You didn’t likely need to renew (though it didn’t hurt). Your browser may have just been caching the expired R3 and needed to be closed/reopened.

In any case, your site is currently serving the “modern” Let’s Encrypt chain which should work for the vast majority of web browsers and clients. However, if you support Android users who are still on version 7.1.1 or earlier, you’ll need to take additional action to switch to the “legacy” chain to avoid cert errors on them. See here for details.

statc · September 30, 2021, 12:19am

Have been seeing Safari on iOS devices fail (iOS 14) on certs that were renewed yesterday through CTW, these still had the root cert as DST Root CA X3 and were generated with the Preferred Chain left blank.
We’ve had to reissue certs again today but specify the preferred chain as ISRG Root X1. This seems to have fixed the issue.

webprofusion · September 30, 2021, 12:32am

Updating your bindings probably forced the refresh at the OS level. The Preferred Chain option is actually making no real difference on Windows - the PFX chain that gets built is largely ignored by Windows in preference to it’s own trusts store, which is something we only recently realized.

Our official knowledge base article is here: Let's Encrypt DST Root CA X3 expiry Sept 30th 2021 | Certify The Web Docs and the update to Certify The Web and a reboot should have fixed it.

cblaze22 · September 30, 2021, 3:34am

Yes I saw that post after the fact but I think all is well now. Chrome, Safari and Apple apps were down for a bit.