Keep "Let's Encrypt Authority X3" for renewed certificate

kati · January 8, 2021, 8:04am

Hello all!

Need your help or an advice!

I have a problem with my public certificate after last renewing 07/01/2020. This certificate I exported in browser and uploaded as a trusted to some my devices. Devices could not connect to any external services and I also can not connect to devices remotely.
Now, Intermediate certificate has been changed from X3 to R3 and my trusted certificate is not valid any more.

Is is possible to require renewing with X3 sertificate until Mart? Is there another solution to trust a certificate on physical devices?

Thank you in advice,

rg305 · January 8, 2021, 8:23am

First: You should not be requiring connection trust based on intermediate certs.
That can change at any moment.

That is no longer possible.

Osiris · January 8, 2021, 12:11pm

Very short answer: no, that's not possible.

However, if you renewed after 60 days like Let's Encrypt advices, you should have 29 days left for your previous certificate. You might be able to re-instate that certificate on your server and fix whatever design flaw you've made in the past (i.e. depend on a static intermediate, which should never be done).

sarathyplkr5 · January 8, 2021, 2:11pm

Why is it no longer possible? I understand that there will be brownouts each month, but renewal should still be possible atleast till the end of May correct?

orangepizza · January 8, 2021, 2:15pm

you are thinking of DST root X3, intermediate CA X3 is only a 2 mounth left and cannot sign by current boulder without extend leaf's life behind CA's

rg305 · January 8, 2021, 2:23pm

X3 is beyond browning out - it is off.
The current pending brownouts are for ACMEv1 deprecation.
See: End of Life Plan for ACMEv1 - API Announcements - Let's Encrypt Community Support

sarathyplkr5 · January 8, 2021, 3:53pm

Thanks for the link. I fail to see where exactly it says that the intermediate X3 is Off and cannot be renewed. Can someone post a screenshot of it.

JuergenAuer · January 8, 2021, 4:08pm

Hi @sarathyplkr5

an intermediate certificate isn't something to renew.

That's how the certificate system works.

Root and intermediate certificates are replaced with new private / public keys, not renewed.

Clients should never use hardcoded intermediate certificates. A client with such a behaviour is a wrong configured client.

rg305 · January 8, 2021, 4:28pm

Beginning Issuance from R3 - API Announcements - Let's Encrypt Community Support

schoen · January 8, 2021, 8:12pm

There is much more detail about this in the thread

kati · January 10, 2021, 5:07pm

Thank you for help and links!
As I understand right, If my devices could not connect to any external IP (included any CA), I need to keep all chain of trusted certificates in devices.
R3 will be expired 29/09/2021, so, I think, next time i will need to change intermediate certificate maximum in July, 2021. Am I right?

rg305 · January 10, 2021, 6:03pm

Intermediates can change at any given moment without notice.
You should include your own CA root as a safety net.

kati · January 10, 2021, 6:58pm

Thank you very much!

aarongable · January 11, 2021, 4:57pm

(As a side note, this expiration date is incorrect -- The R3 cross-sign from IdenTrust expires in late 2021, but the R3 issued from our own ISRG Root X1 doesn't expire until 2025. That said, the advice above is still correct! Don't pin or rely on intermediates, as we may have to (for example) switch to using R4 at a moment's notice.)

kokel · January 12, 2021, 10:15am

Hi,
just to clarify: Until the old Root+ Intermediate will expire there is no chance to renew certificates signed by "Lets Encrypt Authority X3" and "DST Root CA X3"?
Just wondered, because I thought the new options in all those acme clients "preferred chain" or similar are just for this purpose.
Thanks

rg305 · January 12, 2021, 10:20am

Has been retired, and it will soon expire.

It will not be signing anything ever again.

kokel · January 12, 2021, 10:36am

Sure, I know it will expire on 17th of march this year.
It could have been possible to issue certificates until this date

rg305 · January 12, 2021, 10:37am

Not exactly.
It should never authorize a cert beyond its' own life.
So it had to stop issuing 90 day certs... 91 days before it expires.
[2021/03/17 - 91 days was on 2020/12/16]
As also seen on the first line of this post: Beginning Issuance from R3 - API Announcements - Let's Encrypt Community Support

kokel · January 12, 2021, 10:47am

Thanks, is was just not clear to me.
Because the acme_certificate module in ansible suggests that it is still possible:
https://docs.ansible.com/ansible/2.10/collections/community/crypto/acme_certificate_module.html#examples - the last example selects the chain of the old DST Root.

rg305 · January 12, 2021, 10:58am

Sure "possible".
It could now issue a cert with 100 years life on it.
But no browser, nor anyone, would ever honor that cert either (past his own life time).

After re-reading it, I only see: "DST Root CA X3"
Not any mention of "Let's Encrypt Authority X3"

Topic		Replies	Views
Recommendation on client-side trusted root CA certificates Help	3	1466	January 16, 2021
Obtaining a letsencryp certificate with the old intermediate "X3"? Issuance Tech	9	1372	February 4, 2021
Hello everyone, I wanted to clarify is there a valid replacement for the certificate? "O=Internet Security Research Group, CN=ORG Root X1 O=Let's Encrypt, CN=Let's Encrypt Authority X3" ExpresswayE server Help	7	243	May 10, 2024
Let_s_Encrypt_Authority_X3.der expiring Help	4	678	April 3, 2021
Lets Encrypt Authority X1 expired Help	8	2267	September 4, 2016

Keep "Let's Encrypt Authority X3" for renewed certificate

Related topics