SSL Cert is valid when it shouldn't be

Hi @all,

today I ran into a strange issue. I checked the SSL Cert on my jitsi-meet installation https://jitsi.wuerzburg.de/ and noticed that the Certificate expired yesterday (28.12.2021).

I was wondering why my Browser didn’t warn me about the expired cert so I checked it with ssllabs.
The check said that my Cert will expire in february.

Originally I installed the certificate with the install-letsencrypt-cert.sh script and didn’t have any issues so far.
I already checked if the turnserver config was the issue but it points to the “right” certificate which expires in february.

Did anyone else stumble into this or can someone help me with this issue?
Thank you in advance!

SSL Labs is correct, the certificate expires in February:

$ openssl s_client -connect jitsi.wuerzburg.de:443
CONNECTED(00000005)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = jitsi.wuerzburg.de
verify return:1
---
Certificate chain
 0 s:CN = jitsi.wuerzburg.de
   i:C = US, O = Let's Encrypt, CN = R3
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Nov 28 20:07:47 2021 GMT; NotAfter: Feb 26 20:07:46 2022 GMT
 1 s:C = US, O = Let's Encrypt, CN = R3
   i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Sep  4 00:00:00 2020 GMT; NotAfter: Sep 15 16:00:00 2025 GMT
 2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1
   i:O = Digital Signature Trust Co., CN = DST Root CA X3
   a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA256
   v:NotBefore: Jan 20 19:14:03 2021 GMT; NotAfter: Sep 30 18:14:03 2024 GMT

NotAfter: Feb 26 20:07:46 2022 GMT

Try clearing your browser cache and then look at the GUI page for the certificate details again, maybe your browser has a bug with showing stale data.

Thank you for your response!
I already checked the cert with 3 different browsers and cleared the cache but the problem keeps reappearing.
What I noticed is that when I open any browser in Incognito mode, the right certificate is shown. When I open it normally, the expired cert is shown.

Chrome in Incognito:

I’m not very familiar with Windows, which I think your screenshots show that you’re using, but maybe the browsers share an OS-level certificate store, but don’t use it when in private mode in order to prevent fingerprinting. Try another computer? For what it’s worth, your website shows the correct (February 2022 expiration) certificate in all browsers on my laptop here.

If I’m correct the website cert shouldn’t be stored locally on the machine, only the root and sub ca certs.
I tried it a couple more times after clearing the cache and sometimes the right expiration date is shown but not always.
I’ve got the same problem on another machine so my guess is that the error is happening on the server side.

I can’t get the “wrong” one to appear even repeatedly requesting it here. Most OSes will store end-entity certs (your server cert) in the trust store if the user manually trusts them at some point. It’s unlikely you would have done that though since the cert would already be trusted.

If it’s server side, it would be caused by something like load balancing to backends with different certs, or SNI with the old and new certs (but in that case you’d have to be using two different domains).

I’ve got a turn server with its own ssl cert running on a different machine. Could that cause the problem somehow? Otherwise I didn’t configure load balancing or something like that.

I mean it’s not really that big of a problem since all my browsers somehow still trust the expired cert but I don’t want it to become one someday.

The fact that the browsers “trust the expired cert” is a big hint, because they won’t trust an expired cert unless either a) an exception has been added or b) they are actually receiving the non-expired cert too. Have you somehow configured nginx to serve both the old and new cert? eg by concatenating both certs’ chains into the same file

No, I just checked the conf. There are just the following entries:

ssl_certificate /etc/letsencrypt/live/jitsi.wuerzburg.de/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/jitsi.wuerzburg.de/privkey.pem;

I also checked the certificates. the fullchain.pem contains the root + subca + webserver cert. The privkey.pem obviously only the private key.

Do you have a corporate firewall ? If yes can you get an affected computer outside of it and try again ?