DHS Audit failure

Apologies if this is under the wrong category but I would like to bring this to your attention however I can. We were going through a DHS security audit and they flagged two webservers that had that they use Let's Encrypt certificates in common. I wasn't given a reason, I was just told to switch them out. I'm too low on the totem pole to press the issue but if you guys aren't aware of it, DHS is claiming the certificate is not secure.

I suspect there's a lot more details involved in whatever it is. Let's Encrypt certificates are just as "secure" as any other public CA. It may be some specific aspect of the certificate wasn't up to some standard (maybe the key size wasn't long enough or the like), or more likely something about the server configuration that really wasn't related to which vendor supplied the certificate (Maybe a scan was confused about the intentional but a little confusing choice of having the expired DST Root CA X3 in the chain, even though doing so doesn't decrease security, or just an old version of TLS was enabled or whatnot). But without the details of exactly what this claim is, I don't think there's anything actionable on the Let's Encrypt side.

12 Likes

If I can get more detail I will certainly include it here. Thank you

3 Likes

Can you clarify the above:

  • Were these the only 2 servers that used LetsEncrypt certificates ?
    • or
  • Were these 2 different severs that used the same LetsEncrypt certificate, and there are other servers that use LetsEncrypt certificates without complaint ?
8 Likes

yes, of our outward-facing web servers these are the only two that use LE certificates. And I did receive confirmation that apart from them being deemed untrusted by DHS there is nothing else wrong with them. The keys are 2048 bit and the chain is from ISRG Root X1/R3 and of course everything is completely trusted by any browser I try. It was only flagged on their report. I assumed it was them just having something personal against LE, I mainly was wondering if it was pushback that you had heard about before.

also, both servers use their own cert. One with certbot and one with the built-in mechanism used by bitwarden. For all I know that's certbot too.

1 Like

Thanks for your report. It's not something we've heard before specifically about the DHS. I'll definitely take note if we hear similar things, and hopefully help ensure that our certificates are trusted when possible.

However, there are outdated scanning tools which may not know about Let's Encrypt root CA, or otherwise has some custom trust store that's been hand-curated to include "needed" roots.

For what it's worth, many parts of the US government do use Let's Encrypt, including https://https.cio.gov/ and https://login.gov/ and even https://cyber.dhs.gov, though that just redirects to another page not using Let's Encrypt.

There is also a Federal PKI which I know less about, and it's possible they want you to use that? But that's outside of the usual scope of things I deal with. Federal Public Key Infrastructure Guide Introduction -- Also this page about it uses Let's Encrypt :slight_smile:

8 Likes

Another possibility is that the scanning tool is unhappy with our inclusion of a cross-signed certificate from the expired DST Root CA X3 in the certificate chain. We do that in order to support older Android versions. If you don't need to support old versions of Android, you could try configuring your server's certificate chain to omit that last certificate and ask for a re-scan. If that satisfies them, you can set up your ACME client to select an alternate chain on each renewal, which doesn't include the cross signature.

8 Likes