A certificate to validate them all?

theirman · January 17, 2022, 1:16pm

Hello everybody

I used let's encrypt to secure a payara server that hosts my community's web services. These webservices are encrypted with the certificate that I get automatically. The developers of my community will as well consume the webservices in PHP, in Java and in CSharp.

With PHP, no problem because PHP knows the certificates of the server that hosts it.
With Java and CSharp, I don't know how to validate the certificate.At the moment, the developers ignore the certificate, which is not a satisfactory behavior, because they can't deliver a version every 2-3 months.

So my question is: is there a certificate, like a root certificate, that allows to validate all certificates coming from let's encrypt? If yes, how to use them in CSharp and in Java?

Thanking you in advance
Thierry

My domain is:

sicpa-interop.inra.fr

My web server is (include version) :

Payara Server 5.192

The operating system my web server runs on is (include version):

CentOS Linux release 7.9.2009 (Core)
NAME="CentOS Linux"
VERSION="7 (Core)"
ID="centos"
ID_LIKE="rhel fedora"
VERSION_ID="7"
PRETTY_NAME="CentOS Linux 7 (Core)"
ANSI_COLOR="0;31"
CPE_NAME="cpe:/o:centos:centos:7"
HOME_URL="https://www.centos.org/"
BUG_REPORT_URL="https://bugs.centos.org/"

CENTOS_MANTISBT_PROJECT="CentOS-7"
CENTOS_MANTISBT_PROJECT_VERSION="7"
REDHAT_SUPPORT_PRODUCT="centos"
REDHAT_SUPPORT_PRODUCT_VERSION="7"

CentOS Linux release 7.9.2009 (Core)
CentOS Linux release 7.9.2009 (Core)

I can login to a root shell on my machine (yes or no, or I don't know) :

yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

Payara Server Administration Console

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

certbot 1.11.0

Osiris · January 17, 2022, 1:31pm

I don't fully understand what issue your developers are running into.

Also, your site sicpa-interop.inra.fr currently uses an expired certificate from Terena, not Let's Encrypt. And it's also not sending an intermediate..

So lots of room for improvements here.

theirman · January 17, 2022, 1:39pm

sorry this is the production site, the version i will put in line this end of week is : https://sicpa-interop-recette.cati.inrae.fr

In fact, my colleagues fear a service failure when switching from the current production (terena) to the let's encrypt version

Osiris · January 17, 2022, 1:44pm

Your colleagues should already have an issue with the current Terena certificate at sicpa-interop.inra.fr, as it's expired. For some reason the other, non-expired Terena cert isn't being served? Not from my point of view anyway.

Also, please explain what the issue with Java and CSharp is. Without knowing the issue, we can't give advice.

rg305 · January 17, 2022, 8:51pm

Word of advice: Don't explicitly trust the upstream signers as a means to use/enter your system.
[LE signs 200M+ certs - all of which would be trusted in such a scenario]

schoen · January 17, 2022, 10:38pm

Let's Encrypt certificates are normally issued from an intermediate CA under the ISRG Root X1, which is trusted in default Java trust stores (with recent enough versions of Java).

If not, you can make your own trust store including the X1 certificate.

system · February 16, 2022, 10:39pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.