Let's encrypt certificate expired on desktop client

Hello,
Since yesterday, the Windows desktop client app is not able to connect to my nextcloud that has a Let’s Encrypt certificate.
The web version using a browser is connecting fine without any error. I renewed the certificate without any issue. Chain looks correct in the browser.
The App displays this error :

Impossible de se connecter de manière sécurisée à xxxx.net :
Le certificat a expiré
avec certificat R3
Organisation : Let's Encrypt
Unité : <non spécifié>
Pays : US
Empreinte (SHA-256): 73:0c:1b:dc:d8:5f:57:ce:5d:c0:bb:a7:33:e5:f1:ba:5a:92:5b:2a:77:1d:64:0a:26:f7:a4:54:22:4d:ad:3b
Empreinte (SHA-512): dd:35:f3:6f:0d:b8:1b:56:a1:cc:9f:73:4e:42:58:d6:61:25:53:0f:a8:cf:af:6b:5e:fe:79:d5:17:31:83:02:4e:bc:78:54:3b:69:bd:d8:9f:de:37:24:81:6a:03:5a:20:cb:dc:ed:b5:e4:4d:d2:b7:46:ab:9b:0b:30:4c:cd

Date de début de validité : mer. oct. 7 19:21:40 2020 GMT
Date d'expiration : **mer. sept. 29 19:21:40 2021 GMT**
Émetteur : DST Root CA X3
Organisation : Digital Signature Trust Co.
Unité : 
Pays : 

Of course I can check the box stating that I trust this connection, but this is not what I want.
I am using the latest 3.3.4 version of the Windows app.

Does somebody has an idea ?

Thanks and regards,

Laurent.

Hello,

The problem was located on the reverse proxy using the old chain. While browser correctly

Hi @laurent06 ,

I am experiencing the same issue. Can you elaborate more on the reverse proxy that was the issue in your case? I do not have a reverse proxy but am still experiencing the issue. Also, if the issue were with a reverse proxy, why do browsers work and not complain about the Let’s Encrypt certificate?

Thank you
Michael

The problem is about one of the Let’s Encrypt certificates that just expired (DST Root CA X3). It is a very impactful issue over many servers.
On windows, if this appear at launch, you can open certificate manager and delete the expired certificate, then relaunch your client.
How to :

  • Win+X
  • certlm.msc
  • Click on the second line, on the left (french W10 call this “autoritĂ© de certification racine de confiance” so, maybe “trusted root certification authority”)
  • Click Certificates
  • Scroll to find “DST Root CA X3”
  • Right click
  • Delete
  • Relaunch Nextcloud Client

Hope this works for you

gZen0n

1 Like

Thank you @gZen0n, this worked!

I remember having to clean up the DST Root CA X3 on my pfSense box but wasn’t aware it was in Windows’ certificate store as well - looks like even Edge doesn’t use the certificate store of Windows (or it tries different available certificate chains and the Nextcloud client doesn’t).

1 Like

Certificate-Storage on Windows didn’t help for me, the App just reinstalled it. Update & Reboot on the Server helped for me… :wink:

1 Like

Hello @mduller ,
I am using a Sophos UTM as a reverse Proxy. The issue was an old certificate authority.
https://borncity.com/win/2021/09/30/lets-encrypt-zertifikate-rger-mit-windows-sophos-utm-macos-ios-30-9-2021/
I deleted it and it worked.
It seems that browsers are able to find the root certificate and chains by themselves while the nextcloud app just trusts what it sees.

Hope this helps,

Laurent.

1 Like