How to Resolve Sectigo Expired on May 30, 2020 Chain Certificate Issue

By | June 1, 2020

If you manage a server, you should have domains with SSL certificates. Strange thing, that sometimes free certificates are better than paid ones. This time SSL certificates, issued by Sectigo, were affected. It means, that if you have a certificate, issued by Comodo, you should know that you might have issues, if you don’t update your chain certificate.

Let’s dig into official release. They say that you don’t have to do anything since all modern browsers are ok with expiring chains. Browsers are ok, but if you have any other way to access your site? curl or native openssl clients will throw errors, showing your website has an invalid certificate. It is not visible, but you might have issues, downloading content from your resource, checking it, etc. So here is what you can do to resolve this issue:

1. Check your chain certificate validity here. Just input your domain and you will get a message whether your chain is ok or not.

2. If your chain is ok, “relax and enjoy”. But if it’s not, you have to update your chain certificate on your server. I will show you how to do that in Apache, nginx or other web server procedure is similar. Locate your httpd.conf, and find reference to its SSL section. You should have something like this:

SSLEngine on
SSLCertificateKeyFile /etc/httpd/conf.d/lampdocs.com.key
SSLCertificateFile /etc/httpd/conf.d/lampdocs.com.crt
SSLCertificateChainFile /etc/httpd/conf.d/lampdocs.com.ca

3. Download an updates chain certificate from whatsmychaincert.com. If your chain is invalid, a link to valid chain will automatically be generated there. You will have to update your SSLCertificateChainFile to the new value, pointing to the file you receive from whatsmychaincert.com. So it should look like:

SSLEngine on
SSLCertificateKeyFile /etc/httpd/conf.d/lampdocs.com.key
SSLCertificateFile /etc/httpd/conf.d/lampdocs.com.crt
SSLCertificateChainFile /etc/httpd/conf.d/lampdocs.com.chained.crt

4. Restart your web server and repeat the check. Now you should get a message that your chain is valid.

Leave a Reply