Cert-manager+LE giving unwanted DST X3 chain after Feb 8

nekodojo · February 17, 2024, 11:42pm

We had an outage today caused by cert-manager and letsencrypt. Letsencrypt changed their default chain from X1,DST X3 to just X1. But we had already included a config param to use only X1, and that param stopped working and instead gave us the unwanted DST X3 instead. Beware.

More details in comments…

nekodojo · February 17, 2024, 11:48pm

This link was helpful for us to understand what was changing. But the change didn’t work like it was described here because cert-manager also did something unexpected

Also found a link to cert manager issue:

github.com/cert-manager/cert-manager

PreferredChain behaviour for letsEncrypt certificates after february 8

opened 11:51AM - 14 Feb 24 UTC

germanmichelena-dia

On 11/02/2024 some letsencrypt certificates where updated in our cluster, and th…ey were generated with the old certificate chain (signed by DST Root CA X3). We had configured as preferredChain in the clusterissuer "ISRG Root X1". It seems that after letsencrypt change in the default chain provided, the preferredChain configuration is not working properly. https://community.letsencrypt.org/t/shortening-the-lets-encrypt-chain-of-trust/201580 To solve this, we removed the preferredChain configuration in the clusterissuer, and the certificate provided by letsencrypt was the right one (signed by ISRG Root X1). Is anyone else having this issue? Our cert-manager version is 1.12.3

So the outcome was that while we had included a PreferredChain param in the config to request ISRG Root X1, instead we started getting ISRG X1 + DST X3 after Feb 8. First intermediate cert was fine but the extra DST was added. Chopping off the last cert in the chain gave us a working chain.

mcpherrinm · February 18, 2024, 12:12am

It seems like the best option is to stop setting the PreferredChain X1 setting, as that will be the default going forward.

Thanks for sharing the cert-manager bug.

orangepizza · February 18, 2024, 12:21am

looks like it grabbed anything alt version of chain when it configured, not actually looking at chain's name?

mcpherrinm · February 18, 2024, 12:41am

I read their bug: it looks for an alternate chain containing X1, so it finds X1 in the long chain. That’s different from Certbot and other clients that look for a chain ending in X1, including the default chain.

Osiris · February 18, 2024, 8:41am

If that's the case, how would that option have worked when the long chain was the default? It would never have selected the X1 short chain with such logic.

Or would it only have searched in the alternative chains? Because then it could work indeed with just a single alternative chain offered anyway.

By the way, for anyone who wondered: Certbot does not have this bug due to the fact it includes the default chain when searching for the selected issuer common name (and it also only looks at the last certificate in the chain):

github.com

certbot/certbot/blob/v2.9.0/certbot/certbot/_internal/client.py#L344-L348


      
          fullchain = orderr.fullchain_pem
          if self.config.preferred_chain and orderr.alternative_fullchains_pem:
              fullchain = crypto_util.find_chain_with_issuer(
                  [fullchain] + orderr.alternative_fullchains_pem,
                  self.config.preferred_chain, not self.config.dry_run)

And the other part of this bug (also looking at intermediate certs) was fixed in Certbot 1.12.0 back in the beginning of 2021. Alt-chain selection was introduced in 1.6.0 which also looked at the default chain, but stopped looking at intermediates.

nekodojo · February 18, 2024, 5:00pm

I recall in our case that DST was used some time back and we had to switch to a shorter chain (Last Sep I think). At that time adding preferred chain annotation as ISRG Root X1 was the correct choice.

mcpherrinm · February 19, 2024, 7:08pm

This issue and workarounds are now documented on the cert-manager release notes

system · March 20, 2024, 7:09pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.