Getting the intermediate chain after the September 2021 changes?

mehov · November 25, 2022, 4:47pm

Hi everyone,

After the DST Root CA X3 Expiration in September 2021, my older iOS device is stuck on that expired certificate.

I found someone else having this exact problem, and being able to fix by "sending the full chain" from the server. But I'm not sure where do I get the intermediate certs for my issued letsencrypt cert? I checked the live folder where the certs are for my domain and read the README file, still no clue. Here @MikeMcQ says fullchain.pem is your leaf with the full intermediate chain, but my Nginx is already configured to send the fullchain.pem, and it doesn't work for the old iOS.

debian# openssl s_client -connect www.example.com:443 -servername www.example.com -trusted_first |head
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = www.example.com
verify return:1
CONNECTED(00000003)
---
Certificate chain
 0 s:/CN=www.example.com
   i:/C=US/O=Let's Encrypt/CN=R3
 1 s:/C=US/O=Let's Encrypt/CN=R3
   i:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
 2 s:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3
---
read:errno=0

Looking further on this forum, I found links to the missing certs from @schoen in ISRG Root X1 not supported on ios 9.3.5:

Following the idea that worked for SSL Certificate Not Trusted - Intermediate Certificate, I have tried to append the above isrgrootx1.pem to the end of my fullchain.pem using a text editor. The nginx server reloaded fine and seemingly picked it up, but it didn't fix the issue on my older device.

However, one step has been added to the openssl output:

debian# openssl s_client -connect www.example.com:443 -servername www.example.com -trusted_first |head
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = www.example.com
verify return:1
CONNECTED(00000003)
---
Certificate chain
 0 s:/CN=www.example.com
   i:/C=US/O=Let's Encrypt/CN=R3
 1 s:/C=US/O=Let's Encrypt/CN=R3
   i:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
 2 s:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3
 3 s:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
read:errno=0

I thought what if I should have placed it after the first block but not at the end? Still nothing.

debian# openssl s_client -connect www.example.com:443 -servername www.example.com -trusted_first |head
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = www.example.com
verify return:1
CONNECTED(00000003)
---
Certificate chain
 0 s:/CN=www.example.com
   i:/C=US/O=Let's Encrypt/CN=R3
 1 s:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
   i:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
 2 s:/C=US/O=Let's Encrypt/CN=R3
   i:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
 3 s:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
read:errno=0

Haven't yet tried manually adding the isrgrootx1.pem to my iPhone because I want it to work on the server first.

I'm pretty sure I'm missing something. Where do I get the intermediate chain? The certificatechain.io service suggested here is no longer working. Please help

Bruce5051 · November 25, 2022, 6:34pm

You can find all the certificates for Let's Encrypt Certificate Authority here: Chain of Trust - Let's Encrypt

Also see Long (default) and Short (alternate) Certificate Chains Explained

petercooperjr · November 25, 2022, 6:54pm

mehov:

my Nginx is already configured to send the fullchain.pem, and it doesn't work for the old iOS.

Certificate chain
 0 s:/CN=www.example.com
   i:/C=US/O=Let's Encrypt/CN=R3
 1 s:/C=US/O=Let's Encrypt/CN=R3
   i:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
 2 s:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3

This is the correct (most compatible with most systems) chain to be sending.

I think what you're looking for is the Certificate Compatibility guide, which shows that iOS before version 10 won't support Let's Encrypt certificates.

Yes, it's unfortunate that Apple doesn't provide security updates for a longer length of time than they do.

It looks like your server was sending the correct chain in the first place. So if you want Let's Encrypt to work on your phone, you just need to manually add that root to it. Though of course just doing so doesn't mean that your phone is actually securely communicating with servers if it isn't getting security updates anymore.

Bruce5051 · November 25, 2022, 11:19pm

I realize you are seeking information regarding iPhones, but this link on Android may visually help chains.
Also this link is from May 13, 2021 so may be a bit stale.

rg305 · November 26, 2022, 5:16am

Have you considered using another FREE CA?
Some may be providing much older root cert paths - which may be more compatible with such outdated phones.
[stave off the inevitable ... one more day!]

system · December 26, 2022, 5:16am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
IdenTrust DST Root CA X3 expiry Help	18	5241	November 6, 2021
What happens in 2021 when the IdenTrust root certificate expires? Issuance Tech	4	3306	August 22, 2018
Should I add both DST Root CA X3 and ISRG Root X1 intermediates? Server	23	12389	September 6, 2018
DST Root CA X3 Expiration Help	16	2732	December 12, 2021
Renew DST Root CA X3 on IIS? Help	8	1892	December 25, 2021

Getting the intermediate chain after the September 2021 changes?

Related topics