I am getting “website certificate has expired from r3” for my website but my certificate looks to be up to date. What is going on here?
What is your website?
I think I may of fixed it, did the software update, and a manual renewal.
You didn’t likely need to renew (though it didn’t hurt). Your browser may have just been caching the expired R3 and needed to be closed/reopened.
In any case, your site is currently serving the “modern” Let’s Encrypt chain which should work for the vast majority of web browsers and clients. However, if you support Android users who are still on version 7.1.1 or earlier, you’ll need to take additional action to switch to the “legacy” chain to avoid cert errors on them. See here for details.
Have been seeing Safari on iOS devices fail (iOS 14) on certs that were renewed yesterday through CTW, these still had the root cert as DST Root CA X3 and were generated with the Preferred Chain left blank.
We’ve had to reissue certs again today but specify the preferred chain as ISRG Root X1. This seems to have fixed the issue.
Updating your bindings probably forced the refresh at the OS level. The Preferred Chain option is actually making no real difference on Windows - the PFX chain that gets built is largely ignored by Windows in preference to it’s own trusts store, which is something we only recently realized.
Our official knowledge base article is here: Let's Encrypt DST Root CA X3 expiry Sept 30th 2021 | Certify The Web Docs and the update to Certify The Web and a reboot should have fixed it.
Yes I saw that post after the fact but I think all is well now. Chrome, Safari and Apple apps were down for a bit.