The certificate chain that is being issued currently via traefik and cert manager have intermediate R3 and Root DST Root CA X3 expiring at the end of the month. I have seen and read the thread here: Production Chain Changes
Can someone explains to me what will happen to my LE certificate that is expiring in December once the R3 and Root it based on expire at the end of the month? The monitoring software (Logic Monitor) is telling me that the certificate will stop being valid when this happens. How do I get a certificate that will be valid past the current R3 and DST Root CA X3 expiration? May be I configured traefik / certmanager improperly so I'm getting the cert signed by the soon expired certificate chain? How is this supposed to work?
As per the linked page, you should currently be using R3 signed by ISRG Root X1, which is valid until Sep 15 16:00:00 2025 GMT. This certificate is send by the ACME server for every issuance since May.
There's another version of R3, signed by DST Root CA X3 which is no longer valid after the months end. Your ACME client should not be using this certificate anymore.
Yes, that's right. Windows seem to display the trust chain incorrectly for some reason. The chain that is shown in Windows UI is not the same as what I see when I examine the certs from command line. The latter shows what you just described.
Bah, automation means expirations don't matter. Standing up, securing, and maintaining a whole CA for a few internal certificates is way more effort than just using an ACME client if you can deal with DNS validation.
I agree with @rmbolger on this one. But we digress...
If it can be secured (FREELY) in an automated fashion, then why not?
[regardless of any other pro or con - and there are plenty]
Everything behaved as expected from LE perspective in terms of certificate generation. The chain contained up to date certificates with correct Intermediate and Root certs
The issues was local to Windows Boxes running IIS (Internet Information Server). The IIS would serve the incorrect certificate chain with older certs.
Both the old and the new certs were present on the Windows certificate store. In a parallel thread on this forum someone suggested, that when the old certs expire, the issue will go away by itself
To test the above I have removed the expiring R3 cert from one of the boxes and rebooted it. Upon reboot the web site started to serve the expected certificate chain.
Thank you everyone for contributions.
On the topic of "Why not use a private CA for that?", it's pretty simple, because it requires time to set up and maintain, whereas the existing solution is already in place and has proven successful over the last few years.
Yeah the primary issue with the expiring R3 on windows is that Windows prefers it when building a verified chain due to the expiring one being both valid and having the newer issue date, it doesn't care (yet) that the other R3 has a further/better expiration date. There is a certain amount of "wait-and-see and reboot if it doesn't work" going on here.
That is a very interesting detail "upon reboot".
It's still left to be seen if IIS will be "smart enough" to switch to the newer path without a reboot.
[highly unlikely but who knows? - maybe someone can forward the clock to see what IIS does in a lab]
OR
Maybe a PowerShell script can be made to remove the expiring cert and restart IIS.
I actually did not try it before rebooting. Common sense and experience tell me that there is a good chance that restarting IIS without a reboot would work as well.
My own testing was in the future, but I didn't try letting the system tick over from unexpired to expired, I just set a future date on the client and server then tested, so that could be something to try.
Yes, but even that requires admin interaction/intervention.
I'm thinking about all the servers that don't get that much attention...
How long will they be serving the old path (if chosen only at startup)?
I did try restarting IIS in my tests but the issue is higher up the food chain at the kernel level somewhere in https.sys/CAPI, there may be a service that could be restarted without restarting the whole server but I didn't figure out which.
