I can't get the ISRG Root X2 certificate now

GodSir · April 4, 2023, 12:58am

I can't get the ISRG Root X2 certificate now,My account has been able to obtain the ISRG Root X2 certificate before, but now I only get the X1 certificate when I renew the certificate. Why can't I get the X2 certificate?

rmbolger · April 4, 2023, 2:29am

The ISRG Root X2 certificate is downloadable from the Chain of Trust page. But I don't think that's what you meant.

It sounds like you were getting previous certificates signed by the ECDSA intermediate, E1, which was signed by ISRG Root X2? And now your new certificates are being signed by the RSA intermediate, R3, which was signed by ISRG Root X1?

If so, can you provide the domain name in one of the certs so folks here can verify the issuance history? Did anything else change on the server that might have caused a change in the ACME client configuration?

GodSir · April 4, 2023, 6:07am

yes. the domain xiaoyu.net was signed by ISRG Root X2. i don't know why it is X1 now.

MikeMcQ · April 4, 2023, 10:39am

You probably changed the account used to request the cert. Review this topic for instructions

GodSir · April 4, 2023, 10:41am

I did not change account.

GodSir · April 4, 2023, 10:57am

i try apply allow list again, get this reply email:

Your request for your ACME account ID to be placed on the Let's Encrypt ECDSA allowlist has been moved to production. Now when you request a cert from Let's Encrypt with your ECDSA key, the cert will be issued from our ECDSA hierarchy.

If you have any further questions or feedback about how ECDSA certificates are working in your environment, please post on our helpful Community Forums: https://community.letsencrypt.org/

MikeMcQ · April 4, 2023, 10:58am

so if you get another cert do you get it with the X2? Also, you should review your SSL labs report because your IPV6 looks wrong
https://www.ssllabs.com/ssltest/analyze.html?d=xiaoyu.net

rmbolger · April 4, 2023, 5:50pm

Did something change on your server around April 1? CT Logs show you got both an E1 and R3 issued cert on that date. The E1 one was issued a bit over an hour after the R3 one.

GodSir · April 5, 2023, 6:50am

I first failed to apply for a certificate using the acme of pfsense. I had to use the Certify software to apply for a certificate successfully with the same account, but it was an R3 certificate.

now pfsense acme show has E1 cert.

system · May 5, 2023, 6:50am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.