I noticed that after changing the intermediate certificate to R12 and R13, the PFX file generated by my client no longer includes the intermediate certificate used by the domain cert.
We didn't make any recent changes to the client code, so I assume it was something in the issuance process.
Any clues?
Intermediates have been rotated, but they didn't mention any other changes.
I think you'd need to be really clear on what client you're using, and how you've configured it to make a pfx file. In general, ACME clients would read the intermediate along with the new certificate and deploy it the same way. It sounds that isn't working for you automatically, but you haven't provided much information for people to help you.
@grudnitzki1 Which ACME client are you using? I think there were versions of Certes (an older ACME library) that could have been affected but that was mainly around roots rather than intermediates.
None to be exact.
The fact their client hardcodes the intermediates suggests it's an issue with their own code..
Not sure what OP expects from us or from Let's Encrypt 
If LE were somehow sending the incorrect intermediate, this forum would be flooded with new threads. The lack thereof means it's most likely an issue with the hardcoding in this client or something related.
I developed my own client, using Chilkat components. The client does not hardcode the intermediates.
The client creates a PFX file with the domain cert. After the rotation of the secondary certs, the PFXs are still working fine but missing the intermediates in the file.
The "cert" returned by Let's Encrypt contains both the leaf and its intermediate.
You must be losing that when you convert it to pfx. Carefully review your conversion code.
It is not technically impossible for LE to not include the intermediate. But, that would be a significant bug affecting over 7 million certs on a typical day. So far you are the only one complaining. Just from that it's not hard to guess where the problem lies 
Perhaps if you posted some of the code that does that conversion someone will be able to help
How does your client currently source the intermediates? Generally when you build a PFX you create an archive with the leaf cert, intermediates and the private key, so you were previously getting the intermediates from somewhere - either a file or the machine store under Certificates > Intermediate Certification Authorities.
The intermediates under Intermediate Certification Authorities typically get auto populated when you import a PFX that includes them, but you can also manually add them.
The solution was to also include the root certificate (ISRG Root X1) in the PFX file generated by my client. This way, the intermediate certificate was automatically included as well. Thanks for the suggestions that pointed me in the right direction.
Uh... the receiver of your cert is supposed to have the root certificate in their trust store. You including the root certificate in your served chain defeats the purpose.
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.