It is no more possible to integrate certbot certificates in SAPSSLS.pse file

Hi all,

Background:
I have an automation that frequently uses my new Certbot-certificates to integrate it in a SAPSSLS.pse file. This is a special certification format for SAP applications like the SAP-Webdispatcher or SAP-Router. For more than a year it works well. This week it fails because of the error message.

Sorry, but certificate chain is incomplete, need a certificate of 'CN=DST Root CA X3, O=Digital Signature Trust Co.'!

What I tried to solve the problem:

  1. I generated the p12 certificate manually again by the command:

    openssl pkcs12 -export -out ./wildcard_cert.p12 -inkey ./privkey.pem -in ./cert.pem -certfile ./chain.pem -passout pass:secret

    The certificate file was created as expected, with no output of the OpenSSL application.

  2. I tried to generate the SAPSSLS.pse file again by the command:

    sapgenpse import_p12 -p SAPSSLS.pse -x "secret" ./wildcard_cert.p12

    It responds with the error message:

    Found key 'INDEX=0,SIG=YES,ENC=YES,MD5-FINGERPRINT=CC1C [...] 5C66,KEYID=AA3B [...] 4095'
    import_p12: Sorry, but certificate chain is incomplete, need certificate of 'CN=DST Root CA X3, O=Digital Signature Trust Co.'!

  3. I checked the certificates which are installed in the operation system:

    ll /etc/ssl/certs | grep X3
    lrwxrwxrwx 1 root root 18 Sep 5 2018 12d55845.0 -> DST_Root_CA_X3.pem
    lrwxrwxrwx 1 root root 18 Sep 5 2018 2e5ac55d.0 -> DST_Root_CA_X3.pem
    lrwxrwxrwx 1 root root 53 Jun 26 2017 DST_Root_CA_X3.pem -> /usr/share/ca-certificates/mozilla/DST_Root_CA_X3.crt

    The root certificate is in place. Looks good !?

  4. I checked, is the certificate up to date and compared it with the certificates from these websites:

  5. I tried to generate a SAPSSLS.pse file with an old wildcard_cert.p12 certificate file.
    This was working as expected, but include the deprecated certificate of Certbot.

  6. I compared the old wildcard_cert.p12 and a new one by the command:

    openssl pkcs12 -nokeys -info -in ./wildcard_cert.p12

    The new one looks like this:

    MAC:sha1 Iteration 2048
    PKCS7 Encrypted data: pbe [...] CBC, Iteration 2048
    Certificate bag
    Bag Attributes
    localKeyID: AA 3B [...] 40 95
    subject=/CN=*.sap.de04.bitcloud.cloud
    issuer=/C=US/O=Let's Encrypt/CN=R3
    -----BEGIN CERTIFICATE-----
    MIIF[...] hUrxo=
    -----END CERTIFICATE-----
    Certificate bag
    Bag Attributes:
    subject=/C=US/O=Let's Encrypt/CN=R3
    issuer=/O=Digital Signature Trust Co./CN=DST Root CA X3
    -----BEGIN CERTIFICATE-----
    MIIE [...] oXvg==
    -----END CERTIFICATE-----
    PKCS7 Data
    Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 204

    The old one looks like this:

    MAC:sha1 Iteration 2048
    PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 2048
    Certificate bag
    Bag Attributes
    localKeyID: 62 F4 [...] 61 28
    subject=/CN=*.sap.de04.bitcloud.cloud
    issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
    -----BEGIN CERTIFICATE-----
    MIIFa [...] sI3Tyw==
    -----END CERTIFICATE-----
    Certificate bag
    Bag Attributes:
    subject=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
    issuer=/O=Digital Signature Trust Co./CN=DST Root CA X3
    -----BEGIN CERTIFICATE-----
    MIIE [...] Fu0Qg==
    -----END CERTIFICATE-----
    PKCS7 Data
    Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 2048

    The only difference is the intermediate certificate which changed from "Let's Encrypt Authority X3" to "R3". This looks of if I compare it with intermediat certificates of the Let'sEncrypt website.

  7. I updated the sapgenpse application.

  8. I tried to generate the SAPSSLS.pse file in another operating system.
    Same behavior. The old Certbot certificates (p12 file) work, the new not.

Current status:

I am confused about the fact, that the error message point to the root certificate, what is still in place in the system and was not changed in the Trust-chain. The only difference between the old and new Let'Encrypt certificates ar the intermediate certificate and not the root. :thinking: That's the point where I request your help.

I am aware that this is the Let's Encrypt forum and you can not help me with the sapgenpse program. But before the changes of the intermediate certificate, it was working. So perhaps somebody can give me some technical background on what could be wrong. Or has somebody an idea of what's wrong with my setup and what can I also test?

More details:
I am aware of the content of these posts:

As far as I understand the following post, it is only possible to switch between staging and production chain, but there is no alternative intermediate certificate for production, right?

Could this change affect me and my problem?

As far as I understand the content of this side there is no technical difference between the old Let's Encrypt Authority X3 and the new R3 certificate, right?

My domain is:
*.sap.de04.bitcloud.cloud

The operating systems I executed the commands:
I tested the problem at two different systems:
NAME="openSUSE Leap"
VERSION="15.1"

NAME="Debian GNU/Linux"
VERSION="9 (stretch)"

I can log in to a root shell on my machine:
yes

The version of my client is:
certbot --version
certbot 0.25.0

Thank you to read my article, I know it is a lot of stuff to read and to understand!
I am afraid of any hint and Idea of what I can also test.
Thank you for your feedback in advance!

1 Like

It seems that your system wants the "DST Root CA X3" cert included.
[it doesn't make much sense why it can't link R3 to it, but could link X3 to it]
So, I would try recreating the p12 file with the root cert included.

3 Likes

Hi rg305,

thank you very much for your reply.

Yes this sounds also as a solution, but I read it too late. Sorry I found a other way.

My misunderstanding was that I expect, that all necessary information are stored in the p12 file or in the operation system. It is not :frowning:

I also need to provide the intermediate and both root certs during the call of sapgenpse like this

./sapgenpse/sapgenpse import_p12 -r root-isrg-x1.pem -r inter-letsencrypt-crt-R3.pem -r root-dst-ca-X3.pem -p SAPSSLS.pse -x "" sap_wildcard_cert.p12

What I still not understand is that in the old call of sapgenpse also three certificates was provided. The "DST Root CA X3" should be one of them, because it was also used in the old p12 file. But in fact it was not one of the provided certificates. Hmm. Strange.

I hope it was not so much time wast to write this hole article here and it helps somebody in the future.

Thanks again at rg305 for reading and understanding my article!
Enjoy your day :slight_smile:

2 Likes