Certes.AcmeException: Can not find issuer 'C=US,O=Internet Security Research Group,CN=ISRG Root X1' for certificate 'C=US,O=Let's Encrypt,CN=R3'

Hello Team,

We are using Certes.2.3.2 in c#.net for creating SSL certificates. Looks like for the last 30 days our code has failed to create the certificate due to the below error.

Has something got changed recently? Please help us to make this working as our application is highly dependent on this to create certificates for custom domains.

Certes.AcmeException: Can not find issuer 'C=US,O=Internet Security Research Group,CN=ISRG Root X1' for certificate 'C=US,O=Let's Encrypt,CN=R3'.
at Certes.Pkcs.CertificateStore.GetIssuers(Byte der)
at Certes.CertificateChainExtensions.ToPem(CertificateChain certificateChain, IKey certKey)



This is a bug in Certes. You can see this community forum thread and this github issue for more information.

If you upgrade to Certes version 3.0.4 or later, the issue will be fixed.


@aarongable thanks. I fixed it by upgrading Certes to 3.0.4


@aarongable the above issue caused the max limit reached for the last hours and we have many domains that were not renewed. Is there a way to increase our max limit for the timing so that we can generate a new certificate?

That type of change is not possible.
You will have to wait the hour :frowning:
[which has probably already passed]


I think that bug report in Github is wrong and might need to be corrected.

"This change involves not returning the root certificate with the request (short chain)."

The report reads to me as if the OP in that thread is under the assumption the (Cross-Signed) X1 is functioning as a Root Certificate, when it is actually functioning as a cross-signed Leaf Certificate.

Many of the bug reports and issues on this topic, across multiple clients, seem to stem from the same misunderstanding. See also: Chain incomplete since feb 8 2024


I don't know if it is relevant to mention, but in the Chain incomplete since feb 8 2024 I did not assume that the third certificate was a root certificate. I was well aware that it was the cross-signed cert,

1 Like

Third cert?
It used to be the third cert / last.
Now there's only two certs.
So, if anyone is trying to remove the third cert by removing the last one...
That won't get them their desired result.
[because now the last cert is the second cert - there is no third cert (anymore - by default)]


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.