Help thread for DST Root CA X3 expiration (September 2021)

@Osiris thanks a lot for clarifying, I'm using auto-ssl/lua-resty-auto-ssl with resty to generate certificate for few hundred websites and I think it uses dehydrated under the hood which supports preferred-chain option. However it's a big hassle to generate few hundred certificates. Also what's interesting when I check the chain on my machine I get short version but for the same certificate the clients who have issues get longer chain, that's why I'm not sure if regenerating will solve it at all?

2 Likes

If you're "checking the chain" using a browser, then note that this is not a good way to check which chain your server is sending. It only shows one of the possible chains a browser can make. And browsers often can make a few different chains. It's better to use openssl s_client -connect $hostname:443 -servername $hostname or online checkers such as https://www.sslshopper.com/ssl-checker.html .

Also note that if you choose to use the short chain and the actual issue your clients have is a lack of ISRG Root X1 in their certificate root store, the short chain won't fix anything.

4 Likes

Thanks @Osiris the issue with client is that her browser shows ISRG Root X1 -> DST Root CA X3 and the last one being expired. Would this mean then I can then regenerate with short chain this one and then it will be just fine ? What I'm afraid of is that in her browser ISRG Root X1 might still point to expired one.

2 Likes

I think the thing you should be afraid of is that with the short chain your client would get an "issuer unknown" error. It looks like your client doesn't have ISRG Root X1 in the root store. I've seen more issues with Windows 7 not updating the root certificate store. Take a look around on the Community. I'm not a Windows 7 user, so I have no clue about it, but it did came up a few times.

3 Likes

So the safest path is to ask them to update their OS ?

1 Like

I think their Windows 7 is missing the ISRG Root X1 indeed due to missing updates. See for example the following post from a different thread with a possible solution: Windows 7 Chrome - NET::ERR_CERT_DATE_INVALID - #48 by i4004

2 Likes

Greetings LE community,

We have recently changed our certificates to use --preferred-chain "ISRG Root X1 as we did not have control over clients connecting to our services. This worked perfectly. However, I was wondering what the difference in compatibility between the short-chain vs the default longer chain is.

Is it expected we migrate to the longer default chain eventually or is the shorter chain also long-lived supported?

1 Like

Hi there Sander, welcome!

The longer chain is purely there for compatibility for Android older than 7.1.1.

The short chain is in principle the "correct" chain, but lacks older Android compatibility, so LE chose to use the longer chain by default.

5 Likes

Both trust paths hinge on the same cert ("ISRG Root X1") - which only has one expiration date.
So that makes the lifespan of both trust paths identical.

1 Like

Just to clarify:

ISRG Root X1 cross signed certificate served in long chain will expire at Sep 30 18:14:03 2024 GMT

ISRG Root X1 self signed certificate will expire at Jun 4 11:04:38 2035 GMT

Cheers,
sahsanu

2 Likes

But that wouldn't hamper a non-Android-pre-7.1.1 client even if the "long" chain was used by the server, as such clients would chain to the ISRG Root X1 in their trust store and would ignore the cross-signed ISRG Root X1 anyway. The expiry date of Sep 30 18:14:03 2024 GMT is just relevant for older Androids.

4 Likes

Point taken.
YMMV; As their expiry dates are not seen equally by all clients.
The ones that can "short-circuit" the validation, will use the longer date explicitly seen in their trust store.
The ones that can't must rely on the validity of the signer (outside of the root itself).

5 Likes

Yes, correct. I just was trying to clarify this question:

4 Likes

Hi Let's Encrypt ,

I have followed the news about the expiration of X3 and I thought that I didn't have to do any changes for my website. But know I can see that my traffic has fallen by 20% and several browsers are not able to access the site without the big warning of an invalid certificate.

When I look at the chain it is as follows

DST Root CA X3

and is says

This certificate is not valid (expired root)

Any help would be most appreciated.

Christian

2 Likes

Hi @mmncs and welcome to the LE community forum :slight_smile:

I would try switching to the alternate/shorter trust path chain.
How that is done on your server depends on may things...
How much access do you have to it?
Are you an admin or only make changes through a menu/panel?

4 Likes

Hi rg305,

I have full access and right now I am trying to upgrade my certbot to 1.12 where I have the command:

--preferred-chain "ISRG Root X1"

I have tried to add it to the letsencrypt conf file like this:

[renewalparams]
authenticator = webroot
rsa_key_size = 4096
server = https://acme-v02.api.letsencrypt.org/directory
preferred_chain = ISRG Root X1

2 Likes

@mmncs
If you have certbot lower than 1.12, that entry won't do anything.
You can manually edit the fullchain.pem (or chain.pem) file used and remove the last cert from it.
[for a "quick fix" / temporary workaround - that won't survive renewal; as all cert files will be replaced then]

4 Likes

I have access to the fullchain.pem but I really don't know how I should edit it...

and thank you for your time!

3 Likes

Sorry didn't read, so I just delete the last key I guess...

2 Likes

I'd use: vi, but you can use any text editor.
Like: nano

Look for "-----BEGIN *-----" and "-----END *-----" lines.
They surround the certs.
Simply delete the last cert (and the lines surrounding it).
Save the file.
Restart the web service.

Yes, it has one two many certs.

4 Likes