Certificate Chain Confusion

Radderz · October 26, 2021, 10:34am

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: https://ncwrp.seuk.it/

My web server is (include version): IIS10

The operating system my web server runs on is (include version): Windows Server 2016

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): Win Acme v2.1.19.1142

I have experienced some problems with the certificate chain since a server was cloned, and also problems with android devices since the expiration of the root certificate DST Root CA X3.

Firstly I`m a bit confused as to what chain the server is serving:

https://www.ssllabs.com/ssltest/analyze.html?d=ncwrp.seuk.it
Says that it is wtn.seuk.it -> R3 -> ISRG Root X1 Self-signed

Says that it is wtn.seuk.it -> R3 (expired) -> DST Root CA X3 (expired)

Secondly, I believe I want to serve the longer chain to be compatible with older android devices. My personal phone is locked on Android 7 and showing certificate errors on the browser.. Plus we have android apps which connect to our server, which has experienced intermittent errors and app crashes since the root cert expired.

I`m not sure how to go about specifying which chain to serve in Win-Acme (apparently you can on the version I am using). I previously made this post, and I did configure it to serve the longer chain by installing that certificate (this was done prior to the expiry of the root); however there was a server clone performed and the certificates had to be re-issued. Since then I have had trouble re-setting up this chain.

Any advice on what I am doing wrong and how to serve the correct chain would be appreciated.

Nummer378 · October 26, 2021, 10:57am

IIS servers will usually refuse to serve the long chain nowadays (because it doesn't like having an expired certificate in the chain).

So.. It's impossible to support Android 7 and older on IIS? (In a non-hacky way?)

Correct. There are workarounds but Windows builds it's own certificate chain for your certificate which it then uses (when acting as a server or a client), regardless of the chain you may have constructed in the installed PFX (stored in the machine certificate store).

Options/workarounds include:

Proxying your service via nginx, caddy, apache etc (these construct the chain from pem files)

Proxying your service via Cloudflare

Moving ISRG Root X1 to Untrusted (not recommended, can affect outgoing https calls from your server to other services, like Let's Encrypt).

Using an alternative CA

Note that there will be another round of root/intermediate expiries in 2024/25 etc and at that point those Android devices will be entirely out of luck as well.

webprofusion · October 26, 2021, 12:22pm

You can request a chain (and a PFX can be built to include the correct intermediate for that chain) but Windows then ignores the chain because it can't tolerate the expired DST Root CA X3. Nobody really figured that out until after the recent Let's Encrypt root expiry. (or if they did they didn't mention it here)

So basically, if you want a broadly compatible chain for all clients, use an alternative ACME CA like ZeroSSL, because they're root is older and more commonly trusted (actually they have two and one is less common but cross signed, but that's complicated so you can ignore it).

In a few years, it won't matter as much because more trusted roots will expire and these devices will become permanently obsolete. Currently we're in a tricky changeover period where people still expect moderately old devices to work without any updates.

rg305 · October 26, 2021, 7:04pm

You mean they will just be clicking the bypass/ignore button 1000 times a day - LOL

system · November 25, 2021, 7:05pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.