Help thread for DST Root CA X3 expiration (September 2021)

Firefox could be building the verification chain differently.

Your screenshots show the correct information.

Thats Great :smiley:

Thank you.

Jack.

That statement seems misleading.
The leaf cert itself contains the issuing intermediate information (whether or not the Intermediate cert is ever sent by the server is irrelevant).
So the recipient of that leaf cert can (with extra downloads, if needed) build the missing intermediates [looping until it finds a cert that it trusts or one that is known to be untrustworthy or one that has expired].

I'd say: neither.
It simply makes them trusted (by the trusting system).
[trust is transitive - anything trusted is trusted (regardless of issuer or labeling)]

The leaf certificate only contains the subject of the issuer, not the intermediate certificate or it's keypair itself (we're ignoring AIA here for a moment), so it hardly contains the "intermediate information" - it just contains a hint on what keypair(s) to check - it doesn't tell you these, if you don't know them already.

My description was specifically for OpenSSL and for OpenSSL it is not irrelevant, given that any common trust store will not contain the R3 keypair, and OpenSSL does not support certificate caching/preloading or AIA.

So my description that OpenSSL 'sees the issuer R3' (from the leaf) still holds, and it also holds that it initially doesn't know what R3 is, until it sees the intermediate certificate send by server.

This is a very generic description and is not what OpenSSL does unless you're running highly unusual configurations.

I think those are what @rg305 was meaning by "intermediate information". I certainly see your points though about OpenSSL's behavior for the rest. It's a different animal.

K not trying to argue, just trying to get help so apologies. Anyway looks like we're using POSH ACME to get the certs but like i said it's not pulling the newer RSA chain, it's still pulling the R3 signed by DST CA CX3. Just looking help from ya'll (the experts) on how I can get the newer chain instead of the old one. I don't need a step by step procedure (although that would be awesome) as much as a general guide on how to get this done. TIA!

For Posh-ACME, you can update the current order to pull down the alternate chain like this.

Set-PAOrder -PreferredChain 'ISRG Root X1'

This will make sure future renewals use the alternate chain as well as update the existing fullchain.cer and fullchain.pfx files for the order if they exist.

If you have multiple orders you need to update, it might be easier to do them all at once like this:

Get-PAOrder -List | Set-PAOrder -PreferredChain 'ISRG Root X1'

Cool thanks so when I do that it's saying i need to set-paserver first. Is that specific to my org or does LE have a universal one?

But @rmbolger , the issue here is that "alternate chain" should NOT be necessary. R3 signed by DST Root CA X3 hasn't been used since May this year! Posh-Acme should be using the provided chain without any "PreferredChain" option what so ever! The ACME client should use the chain provided by the ACME server...

That said, I have no idea how Posh-ACME/Windows configures chains in the first place.....

Here's what i get when running the posh-acme command to pull a cert today:
image

Apologies, I misunderstood the context of what was going on. Posh-ACME pulls down the default chain provided by the ACME server when PreferredChain is not specified.

The Windows cert GUI is only showing you the chain it chose to build (similar to how a browser does it). It's not showing you the chain that got pulled down by Posh-ACME. @webprofusion has been doing a bunch of tests recently on how Windows is choosing to build the chain.

So what I was told to get the root and intermediates is take those from this cert by exporting them out of this full cert above. Guess i'm just confused on how i get the updated root/intermediate out of the cert that poshacme is pulling from LE...

I pulled the full chain into a different windows host and see the X1 there in the chain! I think i'm good now. Thanks so much!

Again, if anyone wants to see the actual chain being served by their server, use this:

https://decoder.link/sslchecker/

By the way, I noticed that GoDaddy cPanel has recently been updated to serve only R3 signed by ISRG Root X1 rather than only R3 signed by DST Root CA X3.

@lestaff

Congratulations Let's Encrypt! :partying_face:

One of the world's largest hosting providers has switched entirely to rely on your root without cross-signing!

https://decoder.link/sslchecker/griffin.software/443

https://www.sslshopper.com/ssl-checker.html#hostname=griffin.software

Awesome!!!

I guess its safe to assume that my site certificate needs will be transparant to the X3 expiration

I presume a new X3 wil operational to take over before the old one lapses

We have some integration in place between Microsoft O365 and Cisco ( IM&P ) Presence. We originally installed the certificate bundle from the link below which included the DST_Root_CA_X3 certificate. I checked the latest bundle from Microsoft, and it contains the same Root certificate with the same expiration.

HI @thaubein, welcome to the LE community forum :slight_smile:

I think those may be only the CAs MS O365 sites are using.
Those bundles might not include any LE root certs :frowning: