Hi,
I had the same first issue and it was because I didn't have the latest version of Certes (3.0.4).
3 Likes
I also had to update piece of code that was expecting a fullChain but setting that to false in the file is also part of the solution along with upgrading the nuget package for Certes.
Thanks @brkamilo @MikeMcQ @mcpherrinm @petercooperjr @bhuxter @webprofusion @rg305 @aarongable
3 Likes
I actually got this a bit wrong, my previous use of Certes (in Certify The Web) was different from the default in that we read the machine trust store and push those in the Issuers collection before building the PFX. Certes doesn't read the machine trust store as I previously stated, that was just me remembering incorrectly.
What Certes actually does (and be careful with this!) is bundle the common LE roots as a resource:
This means when LE stop using ISRG Root X1 (or if you use a different CA) it may/will stop building the PFX again.
I do maintain a fork of Certes called Anvil that's used by Certify The Web: GitHub - webprofusion/anvil: A client implementation for the Automated Certificate Management Environment (ACME) protocol others are free to use it but we don't make any effort to maintain compatibility between releases for other consumers.
[I should add that Certes/Anvil have support for a preferredChain option when download the cert from the CA which you could use to still get DST Root CA X3 a.k.a. the long chain, but this chain is going away soon anyway]
4 Likes
Or if you try to use the X2 chain with LE. I'll follow up with that.
4 Likes
Glad you figured it out!
This phrasing makes me a little nervous, you should ensure that your servers are in fact serving the correct chain (including intermediate) to its clients. It may be that that's what happening and I'm just not at all familiar with this library and what that setting means.
Also, if you're maintaining your own client (which it sounds like you basically are), then you may want to take the advice in the Integration Guide and subscribe to the "API Announcements" category on this forum, so that you can be aware of any other upcoming changes (and maybe even test them ahead of time in the Staging environment where possible).
3 Likes
As an aside, if serving from windows with IIS (using the internal schannel etc TLS support) the cert chain is reconstructed to the most trusted path by the OS before serving, so people have been happily using DST Root CA X3 chains and the OS has been fixing it for them. When DST Root CA X3 expired most windows servers just switched to ISRG Root X1 except the ones that didn't have windows updates or had blocked CA root updates.
3 Likes
Turns out Certes has had a bug on file regarding this certificate bundling for a couple months now: Planned changes to Lets Encrypt - short chain delivery · Issue #315 · fszlin/certes · GitHub
But because it was filed by folks using out-of-date versions of Certes, the solution so far has been "update Certes" rather than "change Certes so it doesn't require bundling these roots at all". We should probably chime in over there to nudge things in a more sustainable direction.
4 Likes
Last I checked I did actually have commit/merge rights on that repo but it's kind-of-not-quite abandoned and not really my place to make changes, I think the original author just uses/used it for an internal corporate thing that doesn't need regular updates. PRs rarely get merged and issues are unattended. Not sure what the status of it is really.
4 Likes
This is what still happens when I am trying to auto-renew my certificate with HTTP-01. I don't have anything special configured with Certify the Web:
2024-02-14 03:34:25.150 -07:00 [INF] Order authorizations already completed.
2024-02-14 03:34:25.150 -07:00 [INF] Requesting Certificate via Let's Encrypt
2024-02-14 03:34:27.509 -07:00 [ERR] Certificate request process failed: Certes.AcmeException: Can not find issuer 'C=US,O=Internet Security Research Group,CN=ISRG Root X1' for certificate 'C=US,O=Let's Encrypt,CN=R3'.
at Certes.Pkcs.CertificateStore.GetIssuers(Byte der)
at Certes.Pkcs.PfxBuilder.FindIssuers()
at Certes.Pkcs.PfxBuilder.Build(String friendlyName, String password)
at Certify.Providers.Certes.CertesACMEProvider.ExportFullCertPFX(String certFriendlyName, IKey csrKey, CertificateChain certificateChain, String pfxFile)
at Certify.Providers.Certes.CertesACMEProvider.d__30.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Certify.Management.CertifyManager.d__12.MoveNext() in C:\Work\GIT\certify\src\Certify.Core\Management\CertifyManager\CertifyManager.CertificateRequest.cs:line 744
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Certify.Management.CertifyManager.d__11.MoveNext() in C:\Work\GIT\certify\src\Certify.Core\Management\CertifyManager\CertifyManager.CertificateRequest.cs:line 557
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Certify.Management.CertifyManager.d__8.MoveNext() in C:\Work\GIT\certify\src\Certify.Core\Management\CertifyManager\CertifyManager.CertificateRequest.cs:line 333
Certes.AcmeException: Can not find issuer 'C=US,O=Internet Security Research Group,CN=ISRG Root X1' for certificate 'C=US,O=Let's Encrypt,CN=R3'.
at Certes.Pkcs.CertificateStore.GetIssuers(Byte der)
at Certes.Pkcs.PfxBuilder.FindIssuers()
at Certes.Pkcs.PfxBuilder.Build(String friendlyName, String password)
at Certify.Providers.Certes.CertesACMEProvider.ExportFullCertPFX(String certFriendlyName, IKey csrKey, CertificateChain certificateChain, String pfxFile)
at Certify.Providers.Certes.CertesACMEProvider.d__30.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Certify.Management.CertifyManager.d__12.MoveNext() in C:\Work\GIT\certify\src\Certify.Core\Management\CertifyManager\CertifyManager.CertificateRequest.cs:line 744
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Certify.Management.CertifyManager.d__11.MoveNext() in C:\Work\GIT\certify\src\Certify.Core\Management\CertifyManager\CertifyManager.CertificateRequest.cs:line 557
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Certify.Management.CertifyManager.d__8.MoveNext() in C:\Work\GIT\certify\src\Certify.Core\Management\CertifyManager\CertifyManager.CertificateRequest.cs:line 333
2024-02-14 03:34:27.509 -07:00 [INF] REDACTED: Request failed - Can not find issuer 'C=US,O=Internet Security Research Group,CN=ISRG Root X1' for certificate 'C=US,O=Let's Encrypt,CN=R3'. Certes.AcmeException: Can not find issuer 'C=US,O=Internet Security Research Group,CN=ISRG Root X1' for certificate 'C=US,O=Let's Encrypt,CN=R3'.
at Certes.Pkcs.CertificateStore.GetIssuers(Byte der)
at Certes.Pkcs.PfxBuilder.FindIssuers()
at Certes.Pkcs.PfxBuilder.Build(String friendlyName, String password)
at Certify.Providers.Certes.CertesACMEProvider.ExportFullCertPFX(String certFriendlyName, IKey csrKey, CertificateChain certificateChain, String pfxFile)
at Certify.Providers.Certes.CertesACMEProvider.d__30.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Certify.Management.CertifyManager.d__12.MoveNext() in C:\Work\GIT\certify\src\Certify.Core\Management\CertifyManager\CertifyManager.CertificateRequest.cs:line 744
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Certify.Management.CertifyManager.d__11.MoveNext() in C:\Work\GIT\certify\src\Certify.Core\Management\CertifyManager\CertifyManager.CertificateRequest.cs:line 557
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Certify.Management.CertifyManager.d__8.MoveNext() in C:\Work\GIT\certify\src\Certify.Core\Management\CertifyManager\CertifyManager.CertificateRequest.cs:line 333
2024-02-14 03:34:27.509 -07:00 [INF] REDACTED: Request failed - Can not find issuer 'C=US,O=Internet Security Research Group,CN=ISRG Root X1' for certificate 'C=US,O=Let's Encrypt,CN=R3'. Certes.AcmeException: Can not find issuer 'C=US,O=Internet Security Research Group,CN=ISRG Root X1' for certificate 'C=US,O=Let's Encrypt,CN=R3'.
at Certes.Pkcs.CertificateStore.GetIssuers(Byte der)
at Certes.Pkcs.PfxBuilder.FindIssuers()
at Certes.Pkcs.PfxBuilder.Build(String friendlyName, String password)
at Certify.Providers.Certes.CertesACMEProvider.ExportFullCertPFX(String certFriendlyName, IKey csrKey, CertificateChain certificateChain, String pfxFile)
at Certify.Providers.Certes.CertesACMEProvider.d__30.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Certify.Management.CertifyManager.d__12.MoveNext() in C:\Work\GIT\certify\src\Certify.Core\Management\CertifyManager\CertifyManager.CertificateRequest.cs:line 744
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Certify.Management.CertifyManager.d__11.MoveNext() in C:\Work\GIT\certify\src\Certify.Core\Management\CertifyManager\CertifyManager.CertificateRequest.cs:line 557
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Certify.Management.CertifyManager.d__8.MoveNext() in C:\Work\GIT\certify\src\Certify.Core\Management\CertifyManager\CertifyManager.CertificateRequest.cs:line 333
Unless I need to adjust some settings with the Advanced Certificate option to use a specific preferred chain now?
Are you on the current version of Certify The Web?
4 Likes
This is pretty much the exact problem being discussed, so in your case just upgrade Certify The Web to the latest version e.g. 6.0.14.
Based on the error message I'd say this is a version from 2021 or earlier and we've done at least 35 releases since then! The app should be offering the update to you in the UI but if it's not (is outgoing https blocked?) just download and install the latest version from https://certifytheweb.com
Yes, there is a per-certificate preferred chain option under Certificate > Advanced > Certificate Authority - Preferred Chain (which you could set to DST Root CA X3 but I wouldn't recommend that) but you may not even have that option depending on how old your version is.
[As a note to other LE community helpers, if this problem crops up with Certify The Web the resolution is always just to use the latest version, we have some users on versions from over 6 years ago who are definitely going to have problems, 90%+ of our users are on the free community edition and we don't have their contact details]
3 Likes
Awesome, thanks for the information. I did the update but was waiting for the time-out window to expire to try to renew the cert. Everything is working okay now.
3 Likes
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.