The deduplicate feature in crt.sh is rather simple and just deduplicates, nothing more. It simply removes one of the two (whichever it finds first/last in the db), it doesn't care whether thats a precert or not. That means it sometimes gives you a precert and sometimes a leaf.
1 Like
Every time I've used the deduplication option in the past, I've always had it filter the lower (older) certificate in each pair, which is always the precertificate. Maybe I just got lucky (thousands of times)? I really hope I didn't lead anyone astray with a bad assumption.
See here:
https://crt.sh/?Identity=certsage.com&deduplicate=Y
and here:
For me it's always been a wild mix of precert and leaf cert. It's been like this for me for many months, probably since this feature was introduced (which was in May 2020)
Example here: crt.sh | germancoding.com
It's a wild mix of both and I see no change in recent behaviour (I do check crt.sh rather frequently).
I just had a look and it's apparently based on whichever cert has the lowest id in crt.sh's internal database. If the leaf has a lower id, it uses that, if it's the precert, it uses that.
1 Like
I think the time is long overdue to reanalyze this "design choice" and make the feature actually useful.
Back to the question at hand. Does anyone have any idea why this occurs? And does anyone else have the same issue as we do?
So, after considerable tour around the houses, as I understand it you believe Certbot is sometimes giving you a chain you didn't want, but not always?
Are you explicitly asking for one particular chain e.g. using --preferred-chain ?
It sounds from the initial topic as though you wanted certificates in order to test stuff, for testing you can manually assemble either chain, your actual leaf certificate isn't any different, the change is just to which other certificates are presented with it.
2 Likes
Yes, that is exactly what I believe, and for which i offer substantial proof.
I am not explicitly asking for a particular chain, I expect Let's Encrypt to return the default chain. Which as of May 4th should be the "long chain", which includes the ISRG intermediate.
Maybe I was a bit unclear in my initial topic description. I was creating new certificates in order for our clients to test their IoT devices against the new certificate chain. I am fully aware that I can just replace the intermediates with the long chain, but that's not the issue. I wan't to be able to trust that Let's Encrypt and certbot gets me the right certificate every time.
We have a fully automated setup for getting certificates. There is no manual intervention so we currently have no way to inspect the certificates before they get deployed to a production system. If we suddenly can't trust that we get correct certificates we have to add additional checks to our automated setup or add a manual step. Neither is preferable.
1 Like
Until someone from Let's Encrypt says otherwise, I would actually assume you are correct and that the changeover is being rolled out gradually.
2 Likes
I think it may be time to bring in @lestaff:
Over what time period is/was the new May 4 certificate longer certificate chain rolled out? Is it possible that for some significant length of time, some requests would get the short one while other requests got the long one?
4 Likes
Y'all actually nailed it. I've done some review and there was one instance in the rolling restart which had a conflict and may not have completed its configuration deployment until Thurs the 6th. So approximately 48 hours. All are definitely in sync now and if anyone witnesses similar behavior, it would be very unexpected. That being said, our root and intermediate signatures are setup in a way that site operators should be able to build the chains that make the most sense for their users. Thank you for the discussion and details 
14 Likes
Thank you so much for the update and explanation. I will do new certificate requests on Monday when I’m back at the office. I’ll let you know the outcome.
4 Likes
Good morning.
I have renewed the certificates for the domains which previously had the older trust chain. Both of them now have the new, longer chain.
Keep up the good work LE!
1 Like
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.