That device probably encountered the DST->ISRG-CrossSign at some point and it's stuck in the browser or os cache. You may be able to remove it with a soft reset of the device, otherwise a total reset is likely needed.
2 Likes
Ah, now that I've looked more closely, there are a bunch of different servers as EC2 instances, the IP addresses change over time, and presumably I was once talking to some other EC2 system that was no longer servicing libbyapp.com but still has the certificates and so on.
So yes, the servers currently answering for this name have this strange order of certificates:
0 s:CN = *.libbyapp.com
i:C = US, O = Let's Encrypt, CN = R3
1 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1
i:O = Digital Signature Trust Co., CN = DST Root CA X3
2 s:C = US, O = Let's Encrypt, CN = R3
i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
This is a weird ordering, I would be surprised if it's the result of a normal ACME client. Although modern browsers don't mind (and the TLS 1.3 specification actually says doing things like this is OK) lots of other HTTP clients, and the standards up until TLS 1.2 inclusive, say not do to do this. They want the certificates to form a literal "chain", so the issuer of a certificate would be the subject of the next certificate.
That is, you'd usually expect something like this:
0 s:CN = *.libbyapp.com
i:C = US, O = Let's Encrypt, CN = R3
1 s:C = US, O = Let's Encrypt, CN = R3
i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1
i:O = Digital Signature Trust Co., CN = DST Root CA X3
So the certificate issued by DST Root CA X3 for ISRG Root X1 (which you are trying to exclude as I understand it) is not only in this list, it's somehow right in the middle of it.
1 Like
So to close this out. I never was able to test this the way I wanted to. Probably because, as @jvanasco suggested, the device is caching the chain. Fortunately, we were able to do the "change the system date" trick to simulate October 1st and our app stopped trusting the certificate. We put our fix in place to supply the ISRG root in the app directly and the app then worked. So, confidence is there we'll get past Oct 1st with no issues. Thank you everyone for your input and help!
4 Likes
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.