Obtaining a letsencryp certificate with the old intermediate "X3"?

cts · January 5, 2021, 11:55am

Hello all,

we were running a letsencrypt certificate on a server that used to me signed by the intermediate "Letsencrypt Certificate Authority X3". A number of machines "in the field" were doing certificate pinning to the old certificate chain.
Apparently an update between 2020-12-20 and 2021-01-03 changed the intermediate from "Letsencrypt Certificate Authority X3" to "R3" and now those machines refuse to talk to our server.

Is there a way to get a certificate issued which uses the "Letsencrypt Certificate Authority X3" as the intermediate certification authority?

Thanks,
Christian.

sahsanu · January 5, 2021, 12:05pm

Hello @cts,

I'm afraid it is not possible. In this post you could see a similar issue and the LE staff responses saying it is not possible.

Cheers,
sahsanu

cts · January 5, 2021, 2:22pm

Hi @sahsanu,

I was afraid that answer would arise.

Is there a known way to obtain this for money/a donation/rescuing kittens from tall trees?

Best,
Christian.

sahsanu · January 5, 2021, 2:26pm

As far as I know, no, there is no way to obtain a certificate signed by X3. In the link I posted above they also offered money and the answer rermained no.

julemand101 · January 5, 2021, 2:44pm

Is it possible to manipulate the time for this "machines "in the field""? Do they use a time server you have control over? Because you could then announce a time where your old certificate would be valid.

felixf · January 5, 2021, 2:54pm

Also, assuming you followed best practices and changed the certificate a month (or at least a few weeks) before expiry: why not switch back to the old certificate (which hasn't expired yet if done correctly) and use it to fix the damage?

jvanasco · January 5, 2021, 4:09pm

Nope.

If you look at the handy chart though- https://letsencrypt.org/certificates/ - Intermediate R3 chains up to "Root X1", just like Intermediate X3 did... so the root trust store is the same.

You could conceivably pin to the R3 chain AS A STOPGAP while you deploy a proper fix that removes the pinning.

cts · January 5, 2021, 9:34pm

The machines use *.pool.ntp.org, so even though that is a very good idea it won't work in this case.

cts · January 5, 2021, 9:41pm

@jvanasco It is my understanding that the pinning process checked the whole chain - and not just parts of it.
I have, though, pointed my much more technically inclined colleagues to your answer for which I am very thankful!

The problem further seems to be that we cannot implement a stopgap measure on the devices as they currently do not pull any information (including said measures) from the server. We'd need to update the application (that process luckily still works), yet there's machines that need to be used "right after unpacking" and waiting for a background update might not be feasible for the actual user.