Can not find issuer 'C=US,O=Internet Security Research Group,CN=ISRG Root X1' for certificate 'C=US,O=Let's Encrypt,CN=R3'


As many others I also have this error message as shown in the title. It appears since 9 Feb 2024. It seems to prevent updating any of my certificates so it's a ticking bomb!

I don't understand what the other instances were so I'll have to ask for mine as well. I'm using Certes for .NET to generate those certificates. At one point the Certes.CertificateChainExtensions.ToPem(CertificateChain certificateChain, IKey certKey) method is called and that raises the exception. I don't understand any of this so please help me. I'd expect that a retrieved certificate can be converted to PEM format, but apparently there is some validation also going on and it fails.

My domain is: all (really, every request fails)

I ran this command: Certes.CertificateChainExtensions.ToPem(CertificateChain certificateChain, IKey certKey)

It produced this output: Certes.AcmeException with the message from the title

My web server is (include version): Apache 2.4 (irrelevant here)

The operating system my web server runs on is (include version): Ubuntu Server 20.04

My hosting provider, if applicable, is: self

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): own, it is throwing the error

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): none, not using it

The "Certbot" here is just an example. The question relates to the ACME client used, whichever ACME client. In your case that seems to be Certes, so the question here really is: "The version of Certes".

Did you also look at the other (solved) threads with regard to this error and Certes? E.g. Certes.AcmeException: Can not find issuer 'C=US,O=Internet Security Research Group,CN=ISRG Root X1' for certificate 'C=US,O=Let's Encrypt,CN=R3' or Getting Error when trying to get a new certificate?


Sorry, I didn't find solutions in the other threads, only lots of technical comments digging into different directions.

The Certes version I had was 2.3.4. After upgrading to 3.0.4 it works again. Sadly the new Certes version is inofficial, not open source and undocumented. There's no tag for this version in the GitHub repo so it remains unclear what it actually contains. The new version number would also suggest breaking changes, but luckily my application still builds.

1 Like

Can't you upgrade to the open source release 3.0.0?

[edit]Hmm, I'm not sure in which version it was fixed though.. Maybe indeed just in 3.0.4 and newer. :man_shrugging:t2:

1 Like

Everybody here seems to suggest upgrading to the currently latest 3.0.4, so I just tried that. We probably won't find out which version is necessary until the versions are properly tagged and traceable.

1 Like

A comment on the Certes github by @webprofusion says that it is fixed in 3.0.0 as well.

I don’t know much about the Certes package so can’t say with high certainty exactly when it was fixed.


The tone here suggests you feel you were owed some explanation. They may not have tagged the release on github but the "official" certes is this one: NuGet Gallery | Certes 3.0.4 and it doesn't really take much sleuthing to see that the 3.0.4 release date coincidences with the last repo commit: Commits · fszlin/certes · GitHub The 3.0 tagged release did however get the ISRG Root X1 resource embedding and you could choose that specific version via nuget if you wanted.

Being open source doesn't make a package special, it just means you can see and play with the source, there is no obligation for the person who wrote it to maintain it and in this case it's clear to me that it was a work project that got published and just doesn't really get updated now, it has never had a thriving community of contributors.

I do have a well-used fork of Certes called Anvil which has divergent changes (including not relying on knowing the root just to build the final PFX) : GitHub - webprofusion/anvil: A client implementation for the Automated Certificate Management Environment (ACME) protocol - it's specifically for use in Certify The Web (which is a commercial product) but others can use it if they want.

I note also that users of other Certes-reliant things like GitHub - sjkp/letsencrypt-azure: The easiest way to use lets encrypt certificates on Azure (last updated 5 years ago) are also starting to see failures, including fairly high profile Microsoft developer stuff, so I think this has surprised a few folks. All I can really say is keep your software dependencies up to date or suffer the resulting bit rot.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.