DST Root CA X3's expiration date has come into effect, and I would like to know how to create a SHA-1 certificate with Let's Encrypt.
Previously, I had been creating certificates as follows:
① Use the certbot command to create fullchain.pem
【Use Command】
certbot certonly --manual -d xxx.jp -d xxx.jp --preferred-challenges dns-01 --server https://acme-v02.api.letsencrypt.org/directory --preferred-chain "DST Root CA X3"
② Download the DST Root CA X3 root certificate
③ Combine fullchain.pem, isrg-root-x1-cross-signed.pem, and privkey.pem, creating a SHA-1 SSL certificate
From October 1, 2024, will there be any other methods to create a SHA-1 certificate other than the above procedure?
I do not believe Let’s Encrypt supports SHA-1 as it is old and broken.
Edit
How does that create a SHA-1 certificate
Hello @MasahiroMorita, welcome to the Let's Encrypt community.
When you opened this thread in the Help section, you should have been provided with a questionnaire. Maybe you didn't get it somehow (which is weird), or you've decided to delete it. In any case, all the answers to this questionnaire are required:
Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
My domain is:
I ran this command:
It produced this output:
My web server is (include version):
The operating system my web server runs on is (include version):
My hosting provider, if applicable, is:
I can login to a root shell on my machine (yes or no, or I don't know):
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
@MasahiroMorita can you tell us more about what you need regarding from a technical perspective? Why SHA-1?
Your certificates from Let's Encrypt have always been a sha256 signature crt.sh | facepayment.jp but they can have a SHA-1 fingerprint (sometimes used as a certificate thumbprint/identifier in places).