The operating system my web server runs on is (include version): -
My hosting provider, if applicable, is: I am using Send-ChallengeAck
I can login to a root shell on my machine (yes or no, or I don't know): yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel): Azure
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): I am using Posh-ACME
We are requesting certificates through the Powershell module with the HTTP Challenge token. This whole process works and we are getting a certificate back on the machine where we request it on, but since some time (unsure when) we are getting back the fullchain.pfx (and all other files as .cer and key etc) but the fullchain is missing the root (ISRG Root X1).
If I open the fullchain.pfx or the fullchain.cer there are just 2 certificates in it.
We do not change anything on the output of the certificates. I take the files as they are from the Posh-ACME module. Hopefully someone can help us with this issue. I now have to manually add the X1 root cert to all chains.
We use the certificate on an Azure Application Gateway, we noticed that if we do not supply the pfx with all 3 certificates in it then it has an issue with setting up a routing rule on it.
The Let's Encrypt server has never sent a chain to the ACME Client (Posh-ACME in this case) that included the root. So, I am not sure what could have changed unless it is something in Posh-ACME that used to have an option for. I looked through its changelog but did not see any change related to that.
If you really do need it you will need to add a step to append it to the chain you are given by the LE server.
I am not a Azure (or Posh-ACME) expert but maybe a different volunteer with direct experience with those will have more info. Maybe @webprofusion or @rmbolger
Hi Mike, thanks for looking into it so quickly, I have opened up a ticket with Microsoft to also look into this behaviour as you mentioned that it never got supplied I want to see maybe if something changed on their end.
I will be waiting patiently if @webprofusion or @rmbolger have some other usefull info for me! Thanks for helping out so far
The only time Posh-ACME would have been creating a PFX that included ISRG Root X1 is back when LE was still serving the long chain with the cross-signed version of ISRG Root X1 because X1 was then still part of the chain being sent by LE and not the actual root.
But that would have stopped happening way back in June 2024 when they stopped serving the long chain.
Maybe App Gateway didn't have a problem with the longer chain while the cross-sign ISRG Root X1 was still valid? The cross-sign didn't actually expire until the end of September 2024. When did your problems start happening?
It's best to raise a support ticket with Azure Support directly.
Azure Application Gateway is a linux based proxying/load balancing service that doesn't follow the normal rules. I would expect them to trust public roots for you but clearly that's not working here. I'd straight up ask them if ISRG Root X1, and ISRG Root X2, are already a trusted root or do you have to supply them. In some cases people working with app gateway are using custom CAs so those are expected to provide the root.
Thanks for all the quick replies and digging into and and letting me know that nothing on LE side has changed. I made the ticket with Azure and after a long troubleshooting session it appeared that the Application Gateway had some bug in it. Rebooting the thing fixed the issue!