Chain has the wrong root certificate (update: no it doesn't)

Disclaimer: I'm not sure if this is a problem, or if I've run out of skill.

I notice that the root certificate provided by many servers using Let's Encrypt is the ISRG Root X1 with dates from 2021-2024.

However, this does not verify the Let's Encrypt R3 certificate. The ISRG Root X1 with dates from 2015-2035 does. But, the servers don't supply this. See:

[Fish ~]$ openssl x509 -noout -issuer -subject -dates < isrgrootx1_2021-2024.pem 
issuer= /O=Digital Signature Trust Co./CN=DST Root CA X3
subject= /C=US/O=Internet Security Research Group/CN=ISRG Root X1
notBefore=Jan 20 19:14:03 2021 GMT
notAfter=Sep 30 18:14:03 2024 GMT
[Fish ~]$ 
[Fish ~]$ openssl x509 -noout -issuer -subject -dates < isrgrootx1_2015-2035.pem 
issuer= /C=US/O=Internet Security Research Group/CN=ISRG Root X1
subject= /C=US/O=Internet Security Research Group/CN=ISRG Root X1
notBefore=Jun  4 11:04:38 2015 GMT
notAfter=Jun  4 11:04:38 2035 GMT
[Fish ~]$ 
[Fish ~]$ openssl verify -verbose -CAfile isrgrootx1_2021-2024.pem letsencryptr3.pem
letsencryptr3.pem: C = US, O = Internet Security Research Group, CN = ISRG Root X1
error 2 at 1 depth lookup:unable to get issuer certificate
[Fish ~]$ 
[Fish ~]$ openssl verify -verbose -CAfile isrgrootx1_2015-2035.pem letsencryptr3.pem
letsencryptr3.pem: OK

Anyone knows why this would be?



Yes, for legacy compatibility reasons Let's Encrypt default to providing the DST Root CA X3 chain (expired root) becasue a lot of devices had outdated trust stores that didn't know ISRG Root X1 (self signed). This is going away in the future.

The chain the server chooses to serve is one thing, and how the client chooses to verify that is another.

A lot depends also on how you are verifying the certificate path in your client, for instance Windows clients generally depend on the OS level path verifier and they will discard the ISRG Root X1 > DST Root CA X3 path and use ISRG Root X1 as the root instead.


Very thanks to Osiris and webprofusion, I learned a lot.

[Fish ~]$ cat isrgrootx1_2021-2024.pem dstx3.pem > isrgroot_dstx3.pem
[Fish ~]$ openssl verify -verbose -CAfile isrgroot_dstx3.pem letsencryptr3.pem 
letsencryptr3.pem: O = Digital Signature Trust Co., CN = DST Root CA X3
error 10 at 2 depth lookup:certificate has expired

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.