Maybe we're using the same terms for different things, but both chain.pem & fullchain.pem do include the root ISRG X1 certificate as the final certificate in each file. The problem for my use case was that certificate was not the self-signed version, but rather a version that was issued by DST CA X3 which caused vCenter to bail out because that is an expired certificate.
From what I'm reading here, certbot (which is the client I'm using) is already defaulting to the "new" chain which still provides the cross-signed ISRG X1 root certificate.
I'm not sure what to tell you, the fullchains I previously got back from LE/ACME via certbot contained 3 certs:
The server cert being issued
The intermediate cert which signed the server cert (currently R3)
The root cert that signed the intermediate cert (currently ISRG Root X1)
Currently, the root cert provided is signed by the now-expired DST Root CA X3.
I'm not sure vCenter server would accept that without the ISRG Root X1 certificate added to its trust store.
I can also confirm that adding the --preferred-chain "ISRG Root X1" switch to certbot results in the fullchain only containing R3 & ISRG X1 currently & the chain only containing R3 currently.
At this point, I've got a working setup so I'm just documenting all of this here for others who may run into the same problem when they go to update their VMware vCenter server certificates with LE and find themselves in a bind.
BlackBerry 10 Devices (with the most recent and last OS update) have a work around for this expired certificate [ DST Root CA X3 ]. So the native BlackBerry Browser can still once again visit sites disabled by the expiry of this certificate (ie like Wikipedia).
On the BlackBerry phones in [Settings][Security and Privacy][Certificates]
Search for: [ DST Root CA X3 ]
Remove the CheckBox for Trusted (so it will now be untrusted).
In the BlackBerry case this caused an error that indicated the [ ISRG Root X1 ] might be the problem. However unchecking [ DST Root CA X3 ] now allows [ ISRG Root X1 ] to be the default certificate to check in the chain, and it is trusted already on BB10 phones. Now the Browser will no longer block access to sites that depend on this Security Certificate. In order to know that the expired [ DST Root CA X3 ] was the cause (in causing the block to Wikipedia etc) , you can optionally uncheck trusted for [ ISRG Root X1 ], just to see the[ DST Root CA X3] show up in the certificate details chain on the BlackBerry Web Browser site blocked certificate details page. Just make sure you check it back as Trusted after untrusting [ DST Root CA X3 ].
Easy Fix. Other solutions can be found on CrackBerry.com (the official unofficial resource community for BlackBerry related issues and users).
So its not quite true that Blackberry 10 devices will no longer validate "Let's Encrypt certificates". All that a user needs to do to correct sites from being blocked, is remove Trusted from the expired certificate [DST Root CA X3], and the [ ISRG Root X1 ] will work as it is Trusted by default. The two certificates appear to conflict if both are marked as trusted and one is expired. On older Blackberry 10 OS versions <10.3.3, a user may need to import the ISRG certificate, if it is not included. Blackberry 10 phones can allow users to manually Trust or unTrust certificates that are installed, and so can continue to work after September 2021.
Don't worry to much the "Overall rating:" it is just a grading system, worry more about the real security of your server. Yes the "Overall rating:" is helpful but not the end all be all.
My 23 year old son claims that I am "pedantically prolifically languagistly bombastic"
And SSL Labs gives my site SSL Server Test (Powered by Qualys SSL Labs)
but is actually secure in reality? I doubt it. Yet it is ridiculously restrictive, thus far from being widely compatible with older system.
To that, I'd have to say... Congrats on providing him with the opportunity of such a fine education!
Not only can he use "big words", he can make a complete sentence using only "big words" - you should be proud (I am; I don't even know him).
[although I think you might have misquoted "linguistically" as "languagistly" - but I'm no Harvard scholar so who knows]
Some would say that config is a bit over the top . But given that this really looks like you wanted to do it right, I would suggest that you turn off (TLSv1.2) session tickets too.
HPKP is also not recommended anymore (sadly) and I would suggest some more AEAD ciphers on the TLSv1.2 side (the same as for 1.3 for example is fine). If you want to help out some non AES-NI accelerated devices, selecting ChaCha for them is also nice (OpenSSL has a flag for this - other libraries it depends).
Someone could explain to me how this still works !!! Below is the fullchain of my certificate in reverse order issued yesterday, Dec. 7th.
The "DST Root CA X3" is expired but still in use to renew certificates !!!
I understand "ISRG Root X1" is not expired but the issuer is expired. What am I missing here ?
Certificate 1 (top)
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
40:01:77:21:37:d4:e9:42:b8:ee:76:aa:3c:64:0a:b7
Signature Algorithm: sha256WithRSAEncryption
Issuer: O = Digital Signature Trust Co., CN = DST Root CA X3
Validity
Not Before: Jan 20 19:14:03 2021 GMT
Not After : Sep 30 18:14:03 2024 GMT
Subject: C = US, O = Internet Security Research Group, CN = ISRG Root X1
Certificate 2
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
91:2b:08:4a:cf:0c:18:a7:53:f6:d6:2e:25:a7:5f:5a
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = US, O = Internet Security Research Group, CN = ISRG Root X1
Validity
Not Before: Sep 4 00:00:00 2020 GMT
Not After : Sep 15 16:00:00 2025 GMT
Subject: C = US, O = Let's Encrypt, CN = R3
Certificate 3 (my certificate signed by lets encrypt)
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
04:fd:94:55:b2:59:85:92:40:26:24:15:bf:60:42:16:b1:5d
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = US, O = Let's Encrypt, CN = R3
Validity
Not Before: Dec 7 16:16:34 2021 GMT
Not After : Mar 7 16:16:33 2022 GMT
Subject: CN =
Someone could explain to me how this still works !!! Below is the fullchain of my certificate in reverse order issued yesterday, Dec. 7th.
The "DST Root CA X3" is expired but still in use to renew certificates !!!
I understand "ISRG Root X1" is not expired but the issuer is expired. What am I missing here ?
Certificate 1 (top)
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
40:01:77:21:37:d4:e9:42:b8:ee:76:aa:3c:64:0a:b7
Signature Algorithm: sha256WithRSAEncryption
Issuer: O = Digital Signature Trust Co., CN = DST Root CA X3
Validity
Not Before: Jan 20 19:14:03 2021 GMT
Not After : Sep 30 18:14:03 2024 GMT
Subject: C = US, O = Internet Security Research Group, CN = ISRG Root X1
Certificate 2
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
91:2b:08:4a:cf:0c:18:a7:53:f6:d6:2e:25:a7:5f:5a
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = US, O = Internet Security Research Group, CN = ISRG Root X1
Validity
Not Before: Sep 4 00:00:00 2020 GMT
Not After : Sep 15 16:00:00 2025 GMT
Subject: C = US, O = Let's Encrypt, CN = R3
Certificate 3 (my certificate signed by lets encrypt)
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
04:fd:94:55:b2:59:85:92:40:26:24:15:bf:60:42:16:b1:5d
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = US, O = Let's Encrypt, CN = R3
Validity
Not Before: Dec 7 16:16:34 2021 GMT
Not After : Mar 7 16:16:33 2022 GMT
Subject: CN =
. But given that this really looks like you wanted to do it right, I would suggest that you turn off (TLSv1.2) session tickets too.