Certificate Chain Confusion

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: https://ncwrp.seuk.it/

My web server is (include version): IIS10

The operating system my web server runs on is (include version): Windows Server 2016

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): Win Acme v2.1.19.1142

I have experienced some problems with the certificate chain since a server was cloned, and also problems with android devices since the expiration of the root certificate DST Root CA X3.

Firstly I`m a bit confused as to what chain the server is serving:

https://www.ssllabs.com/ssltest/analyze.html?d=ncwrp.seuk.it
Says that it is wtn.seuk.it -> R3 -> ISRG Root X1 Self-signed

Says that it is wtn.seuk.it -> R3 (expired) -> DST Root CA X3 (expired)

Secondly, I believe I want to serve the longer chain to be compatible with older android devices. My personal phone is locked on Android 7 and showing certificate errors on the browser.. Plus we have android apps which connect to our server, which has experienced intermittent errors and app crashes since the root cert expired.

I`m not sure how to go about specifying which chain to serve in Win-Acme (apparently you can on the version I am using). I previously made this post, and I did configure it to serve the longer chain by installing that certificate (this was done prior to the expiry of the root); however there was a server clone performed and the certificates had to be re-issued. Since then I have had trouble re-setting up this chain.

Any advice on what I am doing wrong and how to serve the correct chain would be appreciated.

IIS servers will usually refuse to serve the long chain nowadays (because it doesn't like having an expired certificate in the chain).

5 Likes

You can request a chain (and a PFX can be built to include the correct intermediate for that chain) but Windows then ignores the chain because it can't tolerate the expired DST Root CA X3. Nobody really figured that out until after the recent Let's Encrypt root expiry. (or if they did they didn't mention it here)

So basically, if you want a broadly compatible chain for all clients, use an alternative ACME CA like ZeroSSL, because they're root is older and more commonly trusted (actually they have two and one is less common but cross signed, but that's complicated so you can ignore it).

In a few years, it won't matter as much because more trusted roots will expire and these devices will become permanently obsolete. Currently we're in a tricky changeover period where people still expect moderately old devices to work without any updates.

5 Likes

You mean they will just be clicking the bypass/ignore button 1000 times a day - LOL

5 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.