Certificate has expired for apps.nextcloud and nextcloud.com

ℹ️ Support
2

No, the certificate for apps.nextcloud.com:443 doesn’t expire.

  • Since 30.09.2021 the DST_Root_CA_X3 root expired
  • apps.nextcloud.com:443 delivers two certificate chains
    • This is the default from lets encrypt. letsencrypt.org:443 does the same.
    • The idea of two chains: one is valid and the other remain for higher compatibility with older android devices (older android devices do not check the expiration date of the root certificate if the intermedia is still valid)
  • See also: SSL Server Test: apps.nextcloud.com (Powered by Qualys SSL Labs)

Comparison letsencrypt.org vs. apps.nextcloud.com:

$ openssl s_client -connect apps.nextcloud.com:443 -servername apps.nextcloud.com < /dev/null 2>/dev/null | grep "Certificate chain" -A7
Certificate chain
 0 s:/CN=apps.nextcloud.com
   i:/C=US/O=Let's Encrypt/CN=R3
 1 s:/C=US/O=Let's Encrypt/CN=R3
   i:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
 2 s:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3

$ openssl s_client -connect letsencrypt.org:443 -servername letsencrypt.org < /dev/null 2>/dev/null | grep "Certificate chain" -A7      
Certificate chain
 0 s:/CN=lencr.org
   i:/C=US/O=Let's Encrypt/CN=R3
 1 s:/C=US/O=Let's Encrypt/CN=R3
   i:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
 2 s:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3

But older Linux distros are bothered (with newer ones this is no longer a problem) when a chain leads to an expired root although another chain leads to a correct root. In this case, you can simply remove the expired root certificate.

For Debian:

$ curl https://community.letsencrypt.org/
curl: (60) SSL certificate problem: certificate has expired
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). If the default
 bundle file isn't adequate, you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.

$ rm /etc/ssl/certs/DST_Root_CA_X3.pem 

$ curl -i https://community.letsencrypt.org/
HTTP/1.1 200 OK

This affects e.g. Debian 8. However, if you use debian 8, you should also consider upgrading Debian. Version 8 is end of life and no longer receives security updates.

However, if the ISRG_Root_X1 certificate is missing on your local system, then this is of no use. Then you should upgrade your linux distro.

1 Like