Closed nicolaasjan closed 2 years ago
Probably, there is nothing wrong with this cert. You probably need to add the let's encrypt root key.
Thanks.
Was the certificate changed recently? because I can also reproduce this
Looks like it would be this https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/
So on older devices we have to install ISRG Root X1
?
Thanks. That is definitely the issue.
I am not sure why windows 10 does not have their "new" certificates in the default store though.
@nicolaasjan
However, this certificate expires 20211101. Do I have to repeat this workaround then?
So to answer this, you just need to add the letsencrypt root certificate to your store and shouldn't need to renew sponsor.ajay.app's certificate again
We are stumbling upon this on webOS devices which are missing ISRG Root CA X1 and it's impossible to update trusted CA store without rooting.
One server-side fix for that would be switching to https://zerossl.com/ which offers unlimited free 90-day ACME certificates (equivalent to let's encrypt, requires a minor configuration option change in ACME client) signed by COMODO/UserTrust CA, which seems to be globally respected.
Right now I use a multi domain cert, which isn't supported
Pricing tab on ZeroSSL is utterly unreadable... Everything that's marked as unsupported in free tier applies only to certificates issued manually in their management panel, and not to ACME API. Multi-domain and wildcard certs are supported in free tier, as long as they are issued via ACME - https://zerossl.com/features/acme/
I tried setting using https://github.com/zerossl/zerossl-bot and renewing my certs and on my end it still shows the cert as from let's encrypt, but let me know if I'm misreading it.
For https://sponsor.ajay.app? It still shows as derived from ISRG X1 for me too
Comprehensive site to analyze your domain: https://www.ssllabs.com/ssltest/analyze.html?d=sponsor.ajay.app
Everything that needs to be done to convert certbot setup (assuming you use that) from letsencrypt to zerossl is add these three options: https://github.com/zerossl/zerossl-bot/blob/master/zerossl-bot.sh#L10 (EAB can be copied from zerossl adminitration panel: "Developer" → "EAB Credentials for ACME Clients") and then likely run certbot renew --force-renewal
command.
I was advised by @pukkandan in this issue to ask this here.
In my Windows 10 VM I got this error:
I was able to work around it by manually importing the certificate of https://sponsor.ajay.app/ (from opening the site in Internet Explorer as admin...) After that the download and segment skipping succeeded.
However, this certificate expires 20211101. Do I have to repeat this workaround then?