Hi all,
Background:
I have an automation that frequently uses my new Certbot-certificates to integrate it in a SAPSSLS.pse file. This is a special certification format for SAP applications like the SAP-Webdispatcher or SAP-Router. For more than a year it works well. This week it fails because of the error message.
Sorry, but certificate chain is incomplete, need a certificate of 'CN=DST Root CA X3, O=Digital Signature Trust Co.'!
What I tried to solve the problem:
-
I generated the p12 certificate manually again by the command:
openssl pkcs12 -export -out ./wildcard_cert.p12 -inkey ./privkey.pem -in ./cert.pem -certfile ./chain.pem -passout pass:secret
The certificate file was created as expected, with no output of the OpenSSL application.
-
I tried to generate the SAPSSLS.pse file again by the command:
sapgenpse import_p12 -p SAPSSLS.pse -x "secret" ./wildcard_cert.p12
It responds with the error message:
Found key 'INDEX=0,SIG=YES,ENC=YES,MD5-FINGERPRINT=CC1C [...] 5C66,KEYID=AA3B [...] 4095'
import_p12: Sorry, but certificate chain is incomplete, need certificate of 'CN=DST Root CA X3, O=Digital Signature Trust Co.'! -
I checked the certificates which are installed in the operation system:
ll /etc/ssl/certs | grep X3
lrwxrwxrwx 1 root root 18 Sep 5 2018 12d55845.0 -> DST_Root_CA_X3.pem
lrwxrwxrwx 1 root root 18 Sep 5 2018 2e5ac55d.0 -> DST_Root_CA_X3.pem
lrwxrwxrwx 1 root root 53 Jun 26 2017 DST_Root_CA_X3.pem -> /usr/share/ca-certificates/mozilla/DST_Root_CA_X3.crtThe root certificate is in place. Looks good !?
-
I checked, is the certificate up to date and compared it with the certificates from these websites:
-
I tried to generate a SAPSSLS.pse file with an old wildcard_cert.p12 certificate file.
This was working as expected, but include the deprecated certificate of Certbot. -
I compared the old wildcard_cert.p12 and a new one by the command:
openssl pkcs12 -nokeys -info -in ./wildcard_cert.p12
The new one looks like this:
MAC:sha1 Iteration 2048
PKCS7 Encrypted data: pbe [...] CBC, Iteration 2048
Certificate bag
Bag Attributes
localKeyID: AA 3B [...] 40 95
subject=/CN=*.sap.de04.bitcloud.cloud
issuer=/C=US/O=Let's Encrypt/CN=R3
-----BEGIN CERTIFICATE-----
MIIF[...] hUrxo=
-----END CERTIFICATE-----
Certificate bag
Bag Attributes:
subject=/C=US/O=Let's Encrypt/CN=R3
issuer=/O=Digital Signature Trust Co./CN=DST Root CA X3
-----BEGIN CERTIFICATE-----
MIIE [...] oXvg==
-----END CERTIFICATE-----
PKCS7 Data
Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 204The old one looks like this:
MAC:sha1 Iteration 2048
PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 2048
Certificate bag
Bag Attributes
localKeyID: 62 F4 [...] 61 28
subject=/CN=*.sap.de04.bitcloud.cloud
issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
-----BEGIN CERTIFICATE-----
MIIFa [...] sI3Tyw==
-----END CERTIFICATE-----
Certificate bag
Bag Attributes:
subject=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
issuer=/O=Digital Signature Trust Co./CN=DST Root CA X3
-----BEGIN CERTIFICATE-----
MIIE [...] Fu0Qg==
-----END CERTIFICATE-----
PKCS7 Data
Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 2048The only difference is the intermediate certificate which changed from "Let's Encrypt Authority X3" to "R3". This looks of if I compare it with intermediat certificates of the Let'sEncrypt website.
-
I updated the sapgenpse application.
-
I tried to generate the SAPSSLS.pse file in another operating system.
Same behavior. The old Certbot certificates (p12 file) work, the new not.
Current status:
I am confused about the fact, that the error message point to the root certificate, what is still in place in the system and was not changed in the Trust-chain. The only difference between the old and new Let'Encrypt certificates ar the intermediate certificate and not the root. 
That's the point where I request your help.
I am aware that this is the Let's Encrypt forum and you can not help me with the sapgenpse program. But before the changes of the intermediate certificate, it was working. So perhaps somebody can give me some technical background on what could be wrong. Or has somebody an idea of what's wrong with my setup and what can I also test?
More details:
I am aware of the content of these posts:
As far as I understand the following post, it is only possible to switch between staging and production chain, but there is no alternative intermediate certificate for production, right?
Could this change affect me and my problem?
As far as I understand the content of this side there is no technical difference between the old Let's Encrypt Authority X3 and the new R3 certificate, right?
My domain is:
*.sap.de04.bitcloud.cloud
The operating systems I executed the commands:
I tested the problem at two different systems:
NAME="openSUSE Leap"
VERSION="15.1"
NAME="Debian GNU/Linux"
VERSION="9 (stretch)"
I can log in to a root shell on my machine:
yes
The version of my client is:
certbot --version
certbot 0.25.0
Thank you to read my article, I know it is a lot of stuff to read and to understand!
I am afraid of any hint and Idea of what I can also test.
Thank you for your feedback in advance!
