New trust chain for ACME V2

hyimei · September 10, 2019, 7:21pm

In dev environment, we got an unexpected trust chain for a certificate issued via ACME v2. My question is: do we need a new trust chain in Production when we migrate from ACME V1 to V2?

Here is the new trust chain in dev environment:
-----BEGIN CERTIFICATE-----

MIIERTCCAy2gAwIBAgICElowDQYJKoZIhvcNAQELBQAwKzEpMCcGA1UEAwwgY2Fj

a2xpbmcgY3J5cHRvZ3JhcGhlciBmYWtlIFJPT1QwHhcNMTYwMzIyMDI0NzUyWhcN

MjEwMzIxMDI0NzUyWjAfMR0wGwYDVQQDDBRoMnBweSBoMmNrZXIgZmFrZSBDQTCC

ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMIKR3maBcUSsncXYzQT13D5

Nr+Z3mLxMMh3TUdt6sACmqbJ0btRlgXfMtNLM2OU1I6a3Ju+tIZSdn2v21JBwvxU

zpZQ4zy2cimIiMQDZCQHJwzC9GZn8HaW091iz9H0Go3A7WDXwYNmsdLNRi00o14U

joaVqaPsYrZWvRKaIRqaU0hHmS0AWwQSvN/93iMIXuyiwywmkwKbWnnxCQ/gsctK

FUtcNrwEx9Wgj6KlhwDTyI1QWSBbxVYNyUgPFzKxrSmwMO0yNff7ho+QT9x5+Y/7

XE59S4Mc4ZXxcXKew/gSlN9U5mvT+D2BhDtkCupdfsZNCQWp27A+b/DmrFI9NqsC

AwEAAaOCAX0wggF5MBIGA1UdEwEB/wQIMAYBAf8CAQAwDgYDVR0PAQH/BAQDAgGG

MH8GCCsGAQUFBwEBBHMwcTAyBggrBgEFBQcwAYYmaHR0cDovL2lzcmcudHJ1c3Rp

ZC5vY3NwLmlkZW50cnVzdC5jb20wOwYIKwYBBQUHMAKGL2h0dHA6Ly9hcHBzLmlk

ZW50cnVzdC5jb20vcm9vdHMvZHN0cm9vdGNheDMucDdjMB8GA1UdIwQYMBaAFOmk

P+6epeby1dd5YDyTpi4kjpeqMFQGA1UdIARNMEswCAYGZ4EMAQIBMD8GCysGAQQB

gt8TAQEBMDAwLgYIKwYBBQUHAgEWImh0dHA6Ly9jcHMucm9vdC14MS5sZXRzZW5j

cnlwdC5vcmcwPAYDVR0fBDUwMzAxoC+gLYYraHR0cDovL2NybC5pZGVudHJ1c3Qu

Y29tL0RTVFJPT1RDQVgzQ1JMLmNybDAdBgNVHQ4EFgQU+3hPEvlgFYMsnxd/NBmz

LjbqQYkwDQYJKoZIhvcNAQELBQADggEBAKvePfYXBaAcYca2e0WwkswwJ7lLU/i3

GIFM8tErKThNf3gD3KdCtDZ45XomOsgdRv8oxYTvQpBGTclYRAqLsO9t/LgGxeSB

jzwY7Ytdwwj8lviEGtiun06sJxRvvBU+l9uTs3DKBxWKZ/YRf4+6wq/vERrShpEC

KuQ5+NgMcStQY7dywrsd6x1p3bkOvowbDlaRwru7QCIXTBSb8TepKqCqRzr6YREt

doIw2FE8MKMCGR2p+U3slhxfLTh13MuqIOvTuA145S/qf6xCkRc9I92GpjoQk87Z

v1uhpkgT9uwbRw0Cs5DMdxT/LgIUSfUTKU83GNrbrQNYinkJ77i6wG0=

-----END CERTIFICATE-----

hyimei · September 10, 2019, 7:40pm

Actually, I use openssl to check on this cert (see details below). It is a “cackling cryptographer fake ROOT” cert. I will add it into my test environment ok-list. So no issues. This topic can be closed.

openssl x509 -in acme-v2-trust-chain.cert -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 4698 (0x125a)
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN=cackling cryptographer fake ROOT
Validity
Not Before: Mar 22 02:47:52 2016 GMT
Not After : Mar 21 02:47:52 2021 GMT
Subject: CN=h2ppy h2cker fake CA
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:c2:0a:47:79:9a:05:c5:12:b2:77:17:63:34:13:
d7:70:f9:36:bf:99:de:62:f1:30:c8:77:4d:47:6d:
ea:c0:02:9a:a6:c9:d1:bb:51:96:05:df:32:d3:4b:
33:63:94:d4:8e:9a:dc:9b:be:b4:86:52:76:7d:af:
db:52:41:c2:fc:54:ce:96:50:e3:3c:b6:72:29:88:
88:c4:03:64:24:07:27:0c:c2:f4:66:67:f0:76:96:
d3:dd:62:cf:d1:f4:1a:8d:c0:ed:60:d7:c1:83:66:
b1:d2:cd:46:2d:34:a3:5e:14:8e:86:95:a9:a3:ec:
62:b6:56:bd:12:9a:21:1a:9a:53:48:47:99:2d:00:
5b:04:12:bc:df:fd:de:23:08:5e:ec:a2:c3:2c:26:
93:02:9b:5a:79:f1:09:0f:e0:b1:cb:4a:15:4b:5c:
36:bc:04:c7:d5:a0:8f:a2:a5:87:00:d3:c8:8d:50:
59:20:5b:c5:56:0d:c9:48:0f:17:32:b1:ad:29:b0:
30:ed:32:35:f7:fb:86:8f:90:4f:dc:79:f9:8f:fb:
5c:4e:7d:4b:83:1c:e1:95:f1:71:72:9e:c3:f8:12:
94:df:54:e6:6b:d3:f8:3d:81:84:3b:64:0a:ea:5d:
7e:c6:4d:09:05:a9:db:b0:3e:6f:f0:e6:ac:52:3d:
36:ab
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:TRUE, pathlen:0
X509v3 Key Usage: critical
Digital Signature, Certificate Sign, CRL Sign
Authority Information Access:
OCSP - URI:http://isrg.trustid.ocsp.identrust.com
CA Issuers - URI:http://apps.identrust.com/roots/dstrootcax3.p7c

        X509v3 Authority Key Identifier: 
            keyid:E9:A4:3F:EE:9E:A5:E6:F2:D5:D7:79:60:3C:93:A6:2E:24:8E:97:AA

        X509v3 Certificate Policies: 
            Policy: 2.23.140.1.2.1
            Policy: 1.3.6.1.4.1.44947.1.1.1
              CPS: http://cps.root-x1.letsencrypt.org

        X509v3 CRL Distribution Points: 

            Full Name:
              URI:http://crl.identrust.com/DSTROOTCAX3CRL.crl

        X509v3 Subject Key Identifier: 
            FB:78:4F:12:F9:60:15:83:2C:9F:17:7F:34:19:B3:2E:36:EA:41:89
Signature Algorithm: sha256WithRSAEncryption
     ab:de:3d:f6:17:05:a0:1c:61:c6:b6:7b:45:b0:92:cc:30:27:
     b9:4b:53:f8:b7:18:81:4c:f2:d1:2b:29:38:4d:7f:78:03:dc:
     a7:42:b4:36:78:e5:7a:26:3a:c8:1d:46:ff:28:c5:84:ef:42:
     90:46:4d:c9:58:44:0a:8b:b0:ef:6d:fc:b8:06:c5:e4:81:8f:
     3c:18:ed:8b:5d:c3:08:fc:96:f8:84:1a:d8:ae:9f:4e:ac:27:
     14:6f:bc:15:3e:97:db:93:b3:70:ca:07:15:8a:67:f6:11:7f:
     8f:ba:c2:af:ef:11:1a:d2:86:91:02:2a:e4:39:f8:d8:0c:71:
     2b:50:63:b7:72:c2:bb:1d:eb:1d:69:dd:b9:0e:be:8c:1b:0e:
     56:91:c2:bb:bb:40:22:17:4c:14:9b:f1:37:a9:2a:a0:aa:47:
     3a:fa:61:11:2d:76:82:30:d8:51:3c:30:a3:02:19:1d:a9:f9:
     4d:ec:96:1c:5f:2d:38:75:dc:cb:aa:20:eb:d3:b8:0d:78:e5:
     2f:ea:7f:ac:42:91:17:3d:23:dd:86:a6:3a:10:93:ce:d9:bf:
     5b:a1:a6:48:13:f6:ec:1b:47:0d:02:b3:90:cc:77:14:ff:2e:
     02:14:49:f5:13:29:4f:37:18:da:db:ad:03:58:8a:79:09:ef:
     b8:ba:c0:6d

jsha · September 10, 2019, 7:51pm

Glad you found the solution! That root certificate comes from the Boulder integration tests. Presumably you were using the same one in your local dev environment previously, but since ACMEv2 provides a different way of handling certificate chains, it’s possible that the test root newly came to your attention. Thanks for working on the ACMEv2 upgrade!

system · October 10, 2019, 8:03pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Acme4j still getting old production chain Issuance Tech	4	2209	June 8, 2021
Providing a longer certificate chain by default API Announcements	1	9015	May 4, 2021
Questions regarding "Shortening the Let's Encrypt Chain of Trust" Help	92	6955	June 10, 2024
Acme v02 upgrade from v01 Help	22	6331	September 15, 2020
Certificate chain names Help	28	1484	December 27, 2023

New trust chain for ACME V2

Related topics