I've been trying to wrap my head around this issue all day, could someone help resolve or at least explain it as if I'm a child?

I have an Ubuntu 16 server, running openssl 1.1, & letsencrypt

R3 support expired last night and now an application doesn't work on all devices because it's intermediate signature is from R3 ?

I've removed the X3 from my cert chain providers and generated fresh SSLs with letsencrypt but it has not solved the issue.

Certificate Name: xxxxxx.xx.xx
    Domains: xxxxxx.xx.xx
    Expiry Date: 2021-12-29 11:47:31 00:00 (VALID: 89 days)
    Certificate Path: /etc/letsencrypt/live/xxxxxx.xx.xx/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/xxxxxx.xx.xx/privkey.pem

What do I need to do?

More info on request.

Thanks for your time.

CodePudding user response：

Okay, what I did was to use this config in getssl.cfg

PREFERRED_CHAIN="ISRG Root X1"

Then get new certificates with -f option (force). This seems to shorten the chain so the problematic intermediate expired one is no longer included into the chain for your Nginx. Or something along those lines.

At least it solved for me, i was getting the error when using Net:HTTP via Ruby on a GET request to my own server with Let's encrypt certs.