Default chain still pre-May version

  1. What could cause this? Perhaps an old version of certbot?
  2. Is it a problem come September? They have an alternate AIA path that should work.

There are many sites on the internet that still have this old default chain:
End-entity certificate ← R3 ← DST Root CA X3

e.g.
app.utos.ws
myhub.massey.ac.nz

2 Likes

It's a good question and I think it depends on both the client and the server. Windows (IIS etc) for instance will doggedly serve the R3 > DST Root CA X3 chain (regardless of the client used or chain that was installed) unless you disable that version of the R3 but the general expectation is that once the R3 actually expires that will correct itself (in my 'future' testing I needed a server reboot).

The client side is different and depends on how the client reacts when it sees the expired R3, and whether it can build an alternative chain using it's local trust store or other OS features.

There is also this thread but it's too big to get concrete information from now: Help thread for DST Root CA X3 expiration (September 2021)

I believe the conventional wisdom is that it will all just work, but I expect at least a few hiccups along the way.

Hard to say without knowing which version is being used. It could be due to anchient versions of certbot, but I believe it's rather unlikely.

Potentially.

No guarantees a client will actually use the AIA when presented with an invalid chain. I wouldn't bet on it anyway, as we wouldn't see so much chain issues in the first place if browsers magically would fix it regardless of the chain send by the server.

Then many sites will probably have a problem when that intermediate expires.

Note that sending this incorrect chain is mainly due to system operator incompetence IMO, at least when working with *nix based systems. I can't say anything about Windows servers, as I can also imagine Windows servers are ()#$()#$())_@# to manage in the first place :stuck_out_tongue:

2 Likes

@Osiris Agreed!

@sjh_au Which ACME client (and version) are those two sites using?
Is the chain LE provides being used?