Issuance on R3 vs. X3: is this configurable?

Is there anything different our acme client needs to do to retrieve with the trust chain changed to R3 from X3? I've seen topics elsewhere say this change will happen in the fall, but no further information. Will it be an additional alternate link relation or will R3 just one day replace X3 as the intermediate?

2 Likes

Hello Tim :slightly_smiling_face:

As of January 11, 2021, we’re planning to make a change to our API so that ACME clients will, by default, serve a certificate chain that leads to ISRG Root X1. However, it will also be possible to serve an alternate certificate chain for the same certificate that leads to DST Root X3 and offers broader compatibility. This is implemented via the ACME “alternate” link relation. This is supported by Certbot from version 1.6.0 onwards. If you use a different ACME client, please check your client’s documentation to see if the “alternate” link relation is supported.

1 Like

@griffin: That's talking about the switch in roots, whereas I think that this is asking about the switch in intermediates. They're kind of related, but as both R3 and X3 are signed by both roots it's really a different question.

My understanding is that at some point leaf certificates will be signed by R3 instead of X3, and that it'll just switch over at some point "soon", but I don't remember seeing a specific date for it yet.

As long as your client is downloading the full chain from the ACME server, you shouldn't need to do anything special. (And at any point Let's Encrypt might need to switch to their backup X4 or R4 without further notice, or issue a new intermediate, and you shouldn't need to do anything specific for any of those cases.)

The alternate link is just for a different root, not for a different intermediate. One day, some or all certificates will just start getting signed by R3 and that's it. The alternate link for different roots will work the same regardless of which intermediate is being used.

4 Likes

Thank you - I'm aware of the when the default root switch to ISRG Root X1 is happening. My question is closer to https://community.letsencrypt.org/t/transition-from-x3-to-r3-intermediate/134465: when is the intermediate transition happening and does my client have control of switching from one to the other?

3 Likes

I'd figure the answer is "undetermined" because otherwise there would have been an announcement already. However, @jsha clearly stated in the other thread:

And that seems to have happened:

with an update

So perhaps it's imminent?

3 Likes

Yeah, it's been listed as active at https://letsencrypt.org/certificates/ for some time now, but if you click on the "Issued by R3" at the bottom to go to crt.sh there are still 0 certificates issued. I do suspect it'll be sometime "real soon now". I don't know if they might take it live at one data center at a time or something, or if it's just a switch they change everywhere all at once.

2 Likes

Not exactly. The root here, as @petercooperjr already pointed out, is not the discussion here, it's the intermediate.

While "swapping out" cross-signed and non-cross-signed intermediate certificates are possible to choose which root certificate is being used for the chain, "swapping out" a separate intermediate certificate isn't, i.e. change X3 to R3. This is because those two intermediate certificates have a different keypair where the cross-signed and non-cross-signed versions of the "same" intermediate have the same keypair.

If the ACME server signs a certificate with the X3 private key, you can't use the R3 intermediate.

4 Likes

AFAIK these are two different events:

  1. Changing what root the default certificate chain ultimately chains to
  2. Changing what the issuer of the leaf certificates is

I don't think we have any solid information on when (2) is going to happen.

In theory (2) shouldn't matter to clients, because the issuer being changed shouldn't affect the chain's trust characteristics.

6 Likes

The part where you're mixing two separate "events". You keep talking about root certificates, which is differently in total from the X3 vs. R3 intermediate certificate event.

Also, the part where OP talks about "additional alternate link relation" and you consequently talk about the ACME client doing something is confusing again. That's more related to the root event, where the ACME client can choose the chain to the root certificate (i.e., cross-signed or non-cross-signed intermediate), while the X3 vs. R3 event is an ACME server decision. Not up to the client at all.

4 Likes

Jan. 11 is when the default chain will change which root is signing the intermediate. There's no date yet published that I know of on when the intermediate will be changing. It's possible that they'll do it the same date if that makes things easier for them, but I think the plan is to do it sooner.

Now:
IdenTrust Root → LE X3 → Leaf cert
(with "alternate" available for ISRG Root X1 → LE X3 → Leaf cert)

"Soon" I think:
IdenTrust Root → LE R3 → Leaf cert
(with "alternate" available for ISRG Root X1 → LE R3 → Leaf cert)

As of Jan. 11:
ISRG Root X1 → LE R3 → Leaf cert
(with "alternate" available for IdenTrust Root → LE R3 → Leaf cert)

(All assuming that the intermediate switch happens before Jan. 11, and only talking about RSA certs. At some point they'll put E1 and Root X2 into the mix as well for elliptic curve certs.)

6 Likes

Yes, everything currently in use is ISRG Root X1 signed and IdenTrust DST Root X3 cross-signed. Although R3 currently isn't in use, it is signed by both roots too.

3 Likes

If you'd like to see it for yourself, https://valid-isrgrootx1.letsencrypt.org/ is a test site currently signed by X3 and serving the intermediate which is signed by ISRG Root X1. There's nothing special or unique that Let's Encrypt needed to do in order to set this up; you could do it yourself if you started serving the intermediate signed by ISRG Root X1 on your own web site. The only difference on Jan. 11 is them changing the default chain returned by the ACME server.

3 Likes

And just to be clear because in all our discussion I want to be sure this question actually gets answered:

No, your client has no control over which intermediate Let's Encrypt uses for signing, and in theory it shouldn't care one way or the other. The root matters in terms of which operating systems and browsers trust it (which is why the "alternate" link gives you a choice for that), and your ACME client needs to download the intermediate because your web/mail/etc. server needs to send it along with its own leaf certificate. But Let's Encrypt should be able to change its intermediates every day without you or browsers really caring which one is used. (In practice I suspect the auditing requirements and logistics of doing so would make it a real pain for them to actually change it daily, though, I'm just saying that while it'd matter to them, it shouldn't matter to you.)

3 Likes

While R3 isn't active yet, I suspect that it's going to go live very soon™.

The cross-sign variant of X3 (the IdenTrust one) expires on Mar 17 16:40:46 2021 GMT. Since Let's Encrypt leaf certificates are always 90 days valid, and a leaf certificate can't be valid for longer than the intermediate, the X3-cross sign variant cannot sign any 90-days certificates after 17.12.2020, exactly this day next month.

Therefore I suspect that the switching to R3 is going to happen within the next 30 days. Since this is before the Jan 11 date, R3 will initially be served with the cross-sign variant and later switched to the ISRG variant by default.

8 Likes

As I understand it, (2) matters for the following reason: the X3 intermediate expires Mar 17 16:40:46 2021 GMT. So, that means as of Dec 17 or so certs issued from this will have lifetimes longer than the intermediate from which they were issued, which I've been told is a CA/B forum violation. I hope someone can at least confirm that the switch to R3 will happen before then.

3 Likes

The intermediates (both X3 and R3) are both signed by DST Root X3 and ISRG Root X1, yes. But this is talking about the certificate chain being served, usually called fullchain.pem. This file consists of "your" certificate (signed by the intermediate) and the intermediate (signed by a root). You can't generally serve both signatures (actually maybe you can put them both in the fullchain file, but it's not the standard way to do it), so you can pick which intermediate signature you're using. You can use either one before Jan. 11, and you can use either one after Jan. 11. The only change happening that day is which one you get from the ACME server by default, and the other one is "hidden" behind an "alternate" link.

3 Likes

Well, before Jan. 11 the served certificate chain only leads to DST Root X3. Afterward, the chain only leads to ISRG Root X1. In both cases it only goes to one root, they're just changing which root it is (but you can choose to use the other chain if you want to).

3 Likes

No, the last part is not correct. While you are correct all currently available (in use or not) are signed by the ISRG root as well as IdenTrust, the "thing" you're quoting here, the event happening, is just which intermediate is sent by the ACME server as default and which is sent as alternative. The "only" part doesn't make sense in that sense.

This is what's happening around January 11th assuming R3 had been put into use:

Before:

  • end-leaf cert signed by private key R3
  • default intermediate: R3 signed by DST Root CA X3
  • alternative intermediate: R3 signed by ISRG Root X1

After:

  • end-leaf cert signed by private key R3
  • default intermediate: R3 signed by ISRG Root X1
  • alternative intermediate: R3 signed by DST Root CA X3

For me, the "only" isn't applicable in this event.

4 Likes

No, the change in defaults is correct, but I typed IdenTrust where I should have typed ISRG. It was late here, sorry! Now its correct.

2 Likes
Let's Encrypt Authority X3
Signed by ISRG Root X1
Let's Encrypt Authority X3
Cross-signed by IdenTrust

R3
Signed by ISRG Root X1
R3
Cross-signed by IdenTrust

E1
Signed by ISRG Root X2
2 Likes