'Certificate Path' vs 'Issued by'


#1

I just renewed one of my certificate on my centos/haproxy server, and I noticed something interesting that I do not understand! (I’ve been manually renewing and running scripts while I perfect my scripts since I have quite a bit going on – hopefully the next renewal will be fully automated)

When viewing the certificate in my browser, I can see that on the General tab the certificate is ‘Issued by’ the X3 CA, but if I hit the ‘Certification Path’ I see that the chain is:
“DST Root CA X3”->“Let’s Encrypt Authority X1”->“My certificate”

Do I have something messed up on my ca-bundle on my server, or is this normal behavior? Do I have the better compatibility with XP that X3 offers, or am I functioning off of X1’s compatibility?

Either way, I absolutely love this service and recommend it to everyone I get a chance to interact with. You’re doing great things here!


#2

“DST Root CA X3” is the name of IdenTrust’s root certificate. Let’s Encrypt’s intermediate certificates, which ultimately lead back to that root certificate, are called “Let’s Encrypt Authority X[1-4]”. The “X3” in IdenTrust’s “DST Root CA X3” root certificate is more or less coincidental (and slightly confusing at times :smile:).

If your certificate was issued by “Let’s Encrypt Authority X1” (check the entire string, not just the X3 part), your certificate won’t work for XP users using IE/Chrome. If it’s “Let’s Encrypt Authority X3”, you’re good. You mentioned that you just reviewed your certificate - Let’s Encrypt doesn’t use the “Let’s Encrypt Authority X1” anymore, so you’d have gotten a certificate signed by “Let’s Encrypt Authority X3”. If you’re still somehow seeing “Let’s Encrypt Authority X1”, you’re either not using the new certificate, or you’re having some chain issues, which you could confirm using SSL Labs.


#3

Thank you for your detailed explanation. I do understand the differences between DST X3 and LetsEncrypt X3. To clear up any confusion, this is what it looks like when I view it on my web browser on my computer.

SSL Labs lists LetsEncrypt X3 in the middle section of the certificate path, but my Windows (Chrome) client does not.

Does this mean that most likely my haproxy service has got a chain issue?


#4

Okay, that doesn’t make any sense.

There were some issues with IIS when Let’s Encrypt moved from X1 to X3 because they share the same Subject Key Identifier, and IIS installations that previously used X1 would always build a chain back to X1, even when X3 was available. This almost looks like the same thing on the client side. Any chance you imported the intermediate certificate in your certificate store on that client at some point, or something like that?

Either way, if SSL Labs doesn’t report any chain issues (missing or extra chain certificates), you should be good on XP and this is most likely an issue specific to your client.


#5

Ohhhhhhhhhhhhhh weird. I just checked on another computer and it actually shows the correct chain on the ‘Certificate Path’ tab.

Those intermediate CA certificates were in the intermediate CA folder on my local workstation (under ‘Current User’). I removed them and now the chain shows up correctly on this computer as well. I must have added those a while back during some troubleshooting.

Thanks for the help, I would have never figured that out!


#6

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.