<![CDATA[Expired certificate served (only) to mobile clients!?]]>Hi,

I don't understand what is going on:

I have haproxy running on my pfsense and connecting to a handful of websites on the backend and I use the pfsense certificate manager to keep my letsencrypt wildcard certificate current.

When I access one of my websites from a PC, haproxy serves up a current certificate and the website is shown as secure by my browser.

However, when I access any of these websites from my mobile phone, the websites are marked as unsafe because the certificate has expired.

So it seems that haproxy does serve up two different certificates (one current, one expired), depending on how the same website is accessed (PC or mobile).

I am not sure, but this may have started end of September (when letsencrypt changed their root cerificate). But this may be coincidental and unrelated - no idea.

Has anybody had to deal with something like this before or know what is going on?

Thanks!

]]>https://forum.netgate.com/topic/166985/expired-certificate-served-only-to-mobile-clientsRSS for NodeFri, 12 Jun 2026 20:59:33 GMTTue, 05 Oct 2021 07:47:16 GMT60<![CDATA[Reply to Expired certificate served (only) to mobile clients!? on Tue, 05 Oct 2021 09:28:51 GMT]]>@gertjan

Thank you, I had seen this thread and followed the OP's advice prior to the expiry of the LE certificate. So I thought I was prepared.

But reading again and on, there was a problem reported, not exactly mine but similar enough.

(Apparently, my problem was not the certificate itself (as expected by you) but the root or the intermediate certificate (the browser on my phone did not go into those details)).

I followed the advice, deleted the CAs and renewed the certificate again. This recreated the CAs and solved my problem.

Still strange that I encountered the problems only on my mobile but not on my PC...

]]>https://forum.netgate.com/post/1004412https://forum.netgate.com/post/1004412Tue, 05 Oct 2021 09:28:51 GMT<![CDATA[Reply to Expired certificate served (only) to mobile clients!? on Tue, 05 Oct 2021 08:15:40 GMT]]>@sensewolf said in Expired certificate served (only) to mobile clients!?:

marked as unsafe because the certificate has expired.

The certificate itself, the intermediate or ... the root certificate ?
The last one is already in the "trusted certs list in your phone" and will get updated when you update the phone. Or, if possible, delete it, and get a more recent version.

Your using the ACME pfSense package ?
You probably want to look at this thread : HEADS UP: DST Root CA X3 Expiration (September 2021)

]]>https://forum.netgate.com/post/1004400https://forum.netgate.com/post/1004400Tue, 05 Oct 2021 08:15:40 GMT