I've set up a Cisco Expressway-E node and activated ACME service. Also I uploaded Let's Encrypt ISRG Root X1 and intermediate R13 certificate to the store of trusted CAs.
However, after I generate a server CSR and sign it via ACME and then deploy the certificate, I get the message: "ACME deploy operation failed: The trust chain for the pending certificate is missing or invalid."
I believed Encrypt ISRG Root X1 and intermediate R13 certificates provided the trust chain, so why does this message show up?
You shouldn't add intermediates (e.g. R13) to trust stores. That said, what certs are you actually serving to your visitors? Should be your leaf end R13 (if it issued your leaf) and not the root.
To my knowledge, trust stores are usually used by a client to verify certificates received from a server, meaning that the root would need to be present in the clients'/visitors' trust stores. As for the intermediate, it's generally bad practice to anchor trust in an intermediate. Keep in mind that Let's Encrypt arbitrarily issues from a set of intermediates that can be rotated at any time.
Those instructions seem outdated and horrible. I don't know what a Cisco Expressway is, but any system that wants you to explicitly add intermediates is horribly broken. The client should have the roots of the CAs it trusts in its trust store, and servers should be serving the complete chain that they got from the ACME server that the CA runs.
I do totally agree with you on this product being weird, to say the least. I'll try uploading only the root cert tomorrow and will be back with an update.
Best to log a ticket with Cisco and tell them the ACME service rotates intermediates regularly and can they instead use the intermediates provided automatically during the ACME renewal process, if they say no speak to your Cisco account manager. Or just start with them.
Well, I uploaded intermediate R12 cert and it worked. Without intermediate certs ACME service issued error "no trust chain for the depoyed cert". No idea why it works because you absolutely right, the root sert should have been enough. And no idea why R13 intermediate cert didn't work.
Well, if it actually needs the intermediates, then you should be loading all of Let's Encrypt's intermediates, including the ones listed as "backup" and "upcoming", and subscribe to the Let's Encrypt Technical Updates newsletter to be notified when they add new ones. It's, uh, definitely not the ideal way to do things, but sometimes broken systems work that way.
