Help thread for DST Root CA X3 expiration (September 2021)

Here's what i get when running the posh-acme command to pull a cert today:
image

1 Like

Apologies, I misunderstood the context of what was going on. Posh-ACME pulls down the default chain provided by the ACME server when PreferredChain is not specified.

The Windows cert GUI is only showing you the chain it chose to build (similar to how a browser does it). It's not showing you the chain that got pulled down by Posh-ACME. @webprofusion has been doing a bunch of tests recently on how Windows is choosing to build the chain.

8 Likes

So what I was told to get the root and intermediates is take those from this cert by exporting them out of this full cert above. Guess i'm just confused on how i get the updated root/intermediate out of the cert that poshacme is pulling from LE...

1 Like

I pulled the full chain into a different windows host and see the X1 there in the chain! I think i'm good now. Thanks so much!

2 Likes

Again, if anyone wants to see the actual chain being served by their server, use this:

https://decoder.link/sslchecker/

5 Likes

By the way, I noticed that GoDaddy cPanel has recently been updated to serve only R3 signed by ISRG Root X1 rather than only R3 signed by DST Root CA X3.

@lestaff

Congratulations Let's Encrypt! :partying_face:

One of the world's largest hosting providers has switched entirely to rely on your root without cross-signing!

https://decoder.link/sslchecker/griffin.software/443

https://www.sslshopper.com/ssl-checker.html#hostname=griffin.software

12 Likes

Awesome!!!

5 Likes

I guess its safe to assume that my site certificate needs will be transparant to the X3 expiration

I presume a new X3 wil operational to take over before the old one lapses

1 Like

We have some integration in place between Microsoft O365 and Cisco ( IM&P ) Presence. We originally installed the certificate bundle from the link below which included the DST_Root_CA_X3 certificate. I checked the latest bundle from Microsoft, and it contains the same Root certificate with the same expiration.

2 Likes

HI @thaubein, welcome to the LE community forum :slight_smile:

I think those may be only the CAs MS O365 sites are using.
Those bundles might not include any LE root certs :frowning:

7 Likes

What @rg305 said is correct -- those certificate bundles are "all roots that a certificate used by a Microsoft 365 site might chain up to". Those bundles contain many roots other than DST Root CA X3, so it's safe to assume that Microsoft 365 has handled the upcoming expiration in their own way. Either way, since Microsoft 365 doesn't appear to use Let's Encrypt to issue certs for any of their services, it's not within the purview of this forum.

7 Likes

I have no special requirements, currently my certificate Leaf -> R3-> DST Root CA X3. After DST Root CA X3 expires, will it automatically become Leaf ->R3-> ISRG Root X1? I am just worried that it will affect the use of the website after September 30.

2 Likes

@fangze217 It now goes directly from R3 to DST Root CA X3?
If so, which ACME client are you using and when/how was that chain built?

5 Likes

Hello,

I have two questions:

  1. We use the Authority Information Access extension in the certificates to build the full chain. The R3 intermediate points to http://x1.c.lencr.org/ regardless of if it is signed by the self-signed X1 or the cross-signed X1. Is it possible to update the endpoint to point to the cross-signed X1? It currently returns the self-signed X1.
  2. If a certificate uses the R3 intermediate with the self-signed X1, can we simply forward the cross-signed X1 or do we need to re-generate the certificate? I suspect that it was generated with the cross-signed X1 since we did not specify to use the alternate chain, but I just want to make sure that the two are interchangeable (except by the older devices).

Thanks!

4 Likes

The keypairs of the self-signed X1 and cross-signed X1 certificates are the same. Both can be used to verify the R3 intermediate. (Which makes sense, as currently there also is just a single R3 intermediate cert, not two for each X1 cert.) You can think of the common name of the intermediate/root certificates as the name for the keypair and not as much as the name for a certificate.

8 Likes

Thank you, Osiris.

I guess we can try to create a custom solution to resolve this, but I am hoping that the endpoint can be updated, if only because it is the currently active signer.

3 Likes

win-acme.v2.0.10.444,

2 Likes

Not sure if it will make any difference, but they are up to: win-acme.v2.1.18.1119

3 Likes

After the expiration of the DST Root CA X3 certificate at 10 pm on 9:30, 2021, will it affect the normal operation of the website? Will my website become an insecure address? I am using win-acme.v2.0.10.444 client, do I need to update? I am worried, my friend.

2 Likes

Try this to disable use of the expiring R3 in your chain [on Windows servers]:

  • Open certlm.msc, expand the tree for [1] Intermediate Certification Authorities > Certificates and for [2] Untrusted Certificates > Certificates.
  • Drag R3 issued by DST Root CA X3 from [1] to [2], this will disallow the expiring R3. Don't do this for R3 issued by ISRG Root X1
  • Ensure you have R3 issued by ISRG Root X1 installed in Intermediate Certification Authorities > Certificates, if not you can get it from https://letsencrypt.org/certs/lets-encrypt-r3.der and install it to that store.

Check your served chain again, you may need a reboot.

6 Likes