since Jul 28 2021 we are unable to deploy a valid certificate to the Azure FrontDoor.
according to Azure, at same time, they deploy a new validation that verify the chain of the certificate.
all certificate that we created are rejected on Azure FrontDoor because that validation is failing.
My domain is: *.channel.test.nati700.hvdsdev.tv
It produced this output: all required pem files
My web server is (include version): Azure FrontDoor
From Azure support:
I was checking the files you sent me and the chain doesn’t look right
As you can see, on the leaf certificate the intermediate is signed by DST Root CA X3 but on the intermediate the Root is ISRG Root X1, this will prevent the system from validating the certificate as there are 2 different Root CAs involved.
I also checked the intermediate CA thumbprint (R3) from the leaf certificate and checked the one present on the chain file.
Looks like there are different intermediate CAs named R3 and the leaf certificate is using a different one from the one present on the chain. We need to correct this, since it is now a requirement,
Hi @nfinkel, and welcome to the LE community forum
Without showing the private key file, please show the other files you sent to Azure.
please find attached the files that was generated bu certbot
cert1.pem (1.9 KB)
chain1.pem (3.7 KB)
fullchain1.pem (5.6 KB)
Try using this full chain file instead:
fullchainTEST.pem (4.6 KB)
The full chain that you provided above is working as expected on Azure,
Can you please elaborate what did you change and what should we do to support it?
In short, there are two possible chains.
The default one you were given (for unknown reasons) doesn't work with your system.
I simply replaced the
chain.pem portion to use the other trust path.
There should be a way to instruct the ACME client to always use that other trust path.
Thanks for the information. we manage to basically understand the fix.
our system work with many types of devices (Android/IOS/Smart TV/PC) old and new and we try to understand what should we do.
we notice the expiration of the "DST Root CA X3" certificate and we don't know what should we do.
Can you please explain as what should we do?
I can't say that I'm qualified (nor informed enough about your specific situation) to tell you what you should do... beyond recommending that you review the various posts regarding the upcoming root expiration and, if needed, opening a new topic to better discuss any unanswered questions.
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.