Chain has the wrong root certificate (update: no it doesn't)

Fish · September 14, 2023, 5:52am

Disclaimer: I'm not sure if this is a problem, or if I've run out of skill.

I notice that the root certificate provided by many servers using Let's Encrypt is the ISRG Root X1 with dates from 2021-2024.

However, this does not verify the Let's Encrypt R3 certificate. The ISRG Root X1 with dates from 2015-2035 does. But, the servers don't supply this. See:

[Fish ~]$ openssl x509 -noout -issuer -subject -dates < isrgrootx1_2021-2024.pem 
issuer= /O=Digital Signature Trust Co./CN=DST Root CA X3
subject= /C=US/O=Internet Security Research Group/CN=ISRG Root X1
notBefore=Jan 20 19:14:03 2021 GMT
notAfter=Sep 30 18:14:03 2024 GMT
[Fish ~]$ 
[Fish ~]$ openssl x509 -noout -issuer -subject -dates < isrgrootx1_2015-2035.pem 
issuer= /C=US/O=Internet Security Research Group/CN=ISRG Root X1
subject= /C=US/O=Internet Security Research Group/CN=ISRG Root X1
notBefore=Jun  4 11:04:38 2015 GMT
notAfter=Jun  4 11:04:38 2035 GMT
[Fish ~]$ 
[Fish ~]$ openssl verify -verbose -CAfile isrgrootx1_2021-2024.pem letsencryptr3.pem
letsencryptr3.pem: C = US, O = Internet Security Research Group, CN = ISRG Root X1
error 2 at 1 depth lookup:unable to get issuer certificate
[Fish ~]$ 
[Fish ~]$ openssl verify -verbose -CAfile isrgrootx1_2015-2035.pem letsencryptr3.pem
letsencryptr3.pem: OK

Anyone knows why this would be?

Osiris · September 14, 2023, 5:56am

See:

webprofusion · September 14, 2023, 6:04am

Yes, for legacy compatibility reasons Let's Encrypt default to providing the DST Root CA X3 chain (expired root) becasue a lot of devices had outdated trust stores that didn't know ISRG Root X1 (self signed). This is going away in the future.

The chain the server chooses to serve is one thing, and how the client chooses to verify that is another.

A lot depends also on how you are verifying the certificate path in your client, for instance Windows clients generally depend on the OS level path verifier and they will discard the ISRG Root X1 > DST Root CA X3 path and use ISRG Root X1 as the root instead.

Fish · September 14, 2023, 6:11am

Very thanks to Osiris and webprofusion, I learned a lot.

[Fish ~]$ cat isrgrootx1_2021-2024.pem dstx3.pem > isrgroot_dstx3.pem
[Fish ~]$ openssl verify -verbose -CAfile isrgroot_dstx3.pem letsencryptr3.pem 
letsencryptr3.pem: O = Digital Signature Trust Co., CN = DST Root CA X3
error 10 at 2 depth lookup:certificate has expired
OK

system · October 14, 2023, 6:11am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Wrong dates in Chain of Trust Page Site Feedback	12	483	June 22, 2024
KeyStore / ISRG Root X1 Help	7	1682	October 8, 2021
Certificate has expired Help	5	1082	November 11, 2021
IdenTrust DST Root CA X3 expiry Help	18	5243	November 6, 2021
Letsencrypt renews certificates incorrectly Help	5	731	March 5, 2022

Chain has the wrong root certificate (update: no it doesn't)

Related topics