Home > Back-end >  SSL certificate is valid but browsers say invalid
SSL certificate is valid but browsers say invalid

Time:10-07

I am looking a solution for hours but can't find any. I am using letsencrypt ssl via certbot.

My domain is ektaz.com when I check certificate on browser it says

Expires: 8 November 2021 Monday 16:24:33 GMT 03:00

When I check it from server side with certbot certificates I get result as

Expiry Date: 2021-11-08 13:24:33 00:00 (VALID: 39 days)

But all browsers says certificate is invalid I don't understand why.

Also I have renewed this certificate many times using certbot renew I had no issue so far. I have cleared all cache and tried result is the same. I restarted apache many times. Even restarted server but nothing changed.

Server OS : Ubuntu 20.04 LTS

CodePudding user response:

Your certificate is likely not invalid at all.

There is a simple fix. I'm using nginx configuration style for this example:

ssl_certificate /usr/local/etc/letsencrypt/live/domain.com/cert.pem;

Lines like that need to be replaced by lines like this

ssl_certificate /usr/local/etc/letsencrypt/live/domain.com/fullchain.pem;

Then refresh your server's configuration.

This problem is popping up all over the place, including with both small and large websites.

The root cause is older tutorials for configuration of webservers that served the cert.pem file (because it worked) rather than the fullchain.pem file which makes sure a browser gets the full chain needed to validate the certificate.

Unfortunately, Apple, Mozilla, and some others have dropped the ball and are still using the same intermediate certificate (IdentTrust DST Global Root CA X3) which expired yesterday afternoon at 2:21:40 pm CST to check certificates that were using it before. iOS 15.0 (19A346) is the only released Apple software version that is automatically using the new intermediate certificate even when the server doesn't send the full chain.

The actual intermediate certificate being used by the server is issued to R3 by ISRG Root X1, but unless you configure your server to explicitly tell this to browsers by using the fullchain.pem within the server configuration, then sadly many software companies have dropped the ball and don't do it right on their own.

But once again, this is an easy fix. Just make that slight change to lines in your server's configuration file "cert.pem" -> "fullchain.pem" and you should be fine.

And there's no reason not to keep on using the fullchain.pem file permanently. In fact, even prior to this situation, various networks (college campus WiFi networks are notorious for this) will screw up your certificate's chain of authority unless you use the fullchain.pem file anyway. Let's Encrypt even recommends this now as the only proper way to configure your web server to use certificates.

  • Related