Force X4 root in chain before it becomes default

As part of working on a brand new API, we use LetsEncrypt for generating ssl certificates.

LetsEncrypts current X3-certificate expires at september 2021. They originally planned on making the X4 the default as of september 29 2021 (yesterday).

But it turns out, they prolonged the change until Janurary 11st due to lack of propagation of trust on some devices. Source: https://letsencrypt.org/2019/04/15/transitioning-to-isrg-root.html

I struggle to find out if it is possible for me to force my LetsEncrypt to use the new X4-certificate. This way, our new customers on the new API will be faced with potential ceritificate issues upfront (if there servers don't trust the X4) instead of having an issue later when we choose to renew the cerificate to the X4.

Can anyone tell me if this is possible or point me at a direction of such information.

Thanks.

2 Likes

The X4 intermediate certificate is only used as a backup and won't be used unless something terrible has happened to the X3 intermediate.

I think you've got the certs mixed up. See the full certificate hierarchy:

Source: Chain of Trust which also contains all the intermediate certificates, cross-signed and signed by the ISRG root(s).

I think you mean the transition from the "DST Root CA X3" to the "ISRG Root X1"?

Also, you can "force" a different root certificate by choosing a different intermediate certificate, as long as the public key in that intermediate certificate is the same. As all end leaf certs are currently signed by the Let's Encrypt Authority X3 intermediate certificate cross-signed by the DST Root CA X3 root, you could change your webservers certificate chain to contain the intermediate certificate signed by ISRG Root X1.

3 Likes

To this point - yes, it is possible to do that today.

As @Osiris mentions, I think what you mean to ask is whether there's way to force your LetsEncrypt to use the ISRG-signed intermediate (whether X3 or its successor R3, doesn't matter), so that your customers can be faced with potential certiifcates issues upfront, if their servers don't trust the ISRG root.

It depends what ACME client you use, but quite a lot of them now support selecting which root certificate to prefer. You just need to tell your client to prefer the "ISRG Root X1" root (or even manually substitute the intermediate).

4 Likes

As advertised for certbot here: Transition to ISRG's Root delayed until Jan 11 2021

2 Likes

Thank you so much for the clarification. You are absolutely right; I mixed up the certificates and your assumptions of my question was right.

I am using certbot.

Question A)
Does your solution of " you could change your webservers certificate chain to contain the intermediate certificate signed by ISRG Root X1." imply, that I edit the pem-chain file manually after generating the certificate? Or is there are more fail-safe way to do it automatically using certbot?

Question B) Is it certain that letsEncrypt will, before september 2021 end up only issuing certificates requiring clients to trust the non-cross signed version or is there a chance that "DST Root CA X3" will instead be replaced with another cross-signed certificate to allow for the great internet to not break next year?

3 Likes

Like @_az said: it depends on your ACME client. certbot has a new flag (see the post I referenced to above) for it. If you only have just a single or a few certificates, I can imagine you'd re-issue those certs with that new flag set to the ISRG root. But manually modifing the PEM files isn't that hard.. Unfortunately, if you do it by hand, certbot won't remember it for the next renewal. So it's probably best to let certbot do all the work.

Not sure about that. Not sure if it's even possible. Also, "break the internet" is a little bit strong I think. Only older clients are affected. Probably clients which should have been updated due to lack of security updates anyway.

2 Likes

How exactly can I flag my certbot execution to use the certification? Do you have a link or a copy/paste ready one-liner I can go test out?

Thanks again for all your time on this. Your and the other replier's help is very appreciated.

2 Likes

Please see the URL I linked above... I've never worked with that option before.

2 Likes

Sorry, just missed your link there. I will go dive into this.

Thanks

2 Likes

I have a draft announcement for Certbot here which includes a one-liner (just replace DST Root CA X3 with ISRG Root X1). It hasn't been published yet, but might be helpful for you. Keep in mind that it will only kick in at your next renewal, so you might be better off manually substituting the second certificate in your fullchain.pem if you want to just test this out.

2 Likes

If you are developing your own API and/or using a client library you should look at the Link sections of the response header returned when you request your cert (after completing domain validation):
https://acme-v02.api.letsencrypt.org/acme/cert/abcd123

{
  Connection: keep-alive
  Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
  Link: <https://acme-v02.api.letsencrypt.org/acme/cert/abcd123/1>;rel="alternate"
  Replay-Nonce: 0001ScDOT1
  X-Frame-Options: DENY
  Strict-Transport-Security: max-age=604800
  Cache-Control: public, no-cache, max-age=0
  Date: Tue, 29 Sep 2020 20:39:21 GMT
  Server: nginx
  Content-Length: 3681
  Content-Type: application/pem-certificate-chain
}

If you follow the rel='alternate' link currently served by the production API you will get a certificate chain using the newer ISRG root

3 Likes

It would maybe be nice if letsencrypt.org (the main website, not the api etc) transitioned to the ISRG root now, so we could test clients apps/browsers by just pointing them to that site, or maybe there is a site to test with already?

1 Like

@webprofusion Why would you use a main site as a testing environment? :confused:

1 Like

Either way, that test site does exist: https://valid-isrgrootx1.letsencrypt.org/

(But don't trust your browser if it says DST Root CA X3, that's just some caching/shortcutting. Check with openssl)

7 Likes

As linked in the "Chain of Trust" page linked in the first comment to this thread :wink:

1 Like

The alternate root is currently linked in the production environment, meaning it's ready for use in production, whether or not you consider it testing is relative.

Let's Encrypt themselves are postponing the date of using their own root certificate for production.. Would be weird to implement it on their main site anyway.

Easy to build an alternate chain that is valid till september 2021 .

Is there a chance to use Intermediate CA R3 now ?
B2B Websites do not really care about old android devices. Using R3 as intermediate CA would give me a setup that can run till 2025 without problems with expiry.
Is there a software that can enforce "R3" as the issuer of my certificate ? (No problem to script the Root Chain to X1 or X3 afterwards)

Test command for the X3/X1 chain is:
true|openssl s_client -showcerts -verify 5 -connect valid-isrgrootx1.letsencrypt.org:443 -servername valid-isrgrootx1.letsencrypt.org 2>&1| head -12

2 Likes

You can see from the search at

that there have been no certificates issued under this intermediate at all yet. So you'll have to wait a little longer for issuance using it to begin.

The announcement post said

We expect to switch our primary issuance pipeline to use R3 later this year, which won’t have any real effect on issuance or renewal.

I don't know exactly when "later this year" refers to. I was somehow imagining "about two update windows", but that's not based on anything Let's Encrypt staff have told me.

2 Likes
2 Likes