A client manufactures Android devices and they also have a lot that are older than Android 8.
So I was closely following the LE blog posts about the changes, now today the topic came back during a meeting and I was double checking to make sure what the impact would be for us.
What happens when the new cross-sign expires? This new cross-sign will expire in early 2024. Prior to that, perhaps as early as June 2021, we will be making a similar change to what we intended to make this January. When we make that change, subscribers will have the option to continue using DST Root CA X3 by configuring their ACME client to specifically request it.
"subscribers will have the option to continue using DST Root CA X3 by configuring their ACME client to specifically request it" but from my understanding this shouldn't be the case and it will use DST Root CA X3 by default or not?
We just want to make sure because the impact might be very big very us if this is not the case.
So I think my main question is will certbot by default continue issuing certs that use DST Root CA X3?
And for how long? In the blog post it is mentioned until early 2024.
I think that paragraph in the blog post is just wrong now, based on outdated information from the original plan. I'd suggest looking at the recently-put-together announcement on upcoming chain changes:
But there's certainly been a lot of confusion by a lot of people about what's happening.
if your client can push update to their device, do a porper job and push a update with newer root CA list with ISRG X1 cert included. (and other security patches if possible)
@jple: I'm assuming you're the one to contact about this, or at least you'd know who to bring in. I think the above-quoted paragraph in the blog post is wrong now that the plan is to have DST Root X3 as the root of the default chain. If so, can you see if the blog post can get updated? I suspect that information about the old plan still being out there may be behind a lot of the confusion people are having.
i've got an older android 7.0 device and the cert for https://waverley.smartcitiestransport.com/ renewed two days ago. i just noticed today that it's not working in chromium (web view) but it works fine in chrome. logcat is giving me an error like E chromium: [ERROR:ssl_client_socket_impl.cc(947)] handshake failed; returned -1, SSL error code 1, net_error -202 so i assume something has changed in the cert. i don't really know how to look at the certificate, but do i need to do something to get a compatible certificate?
The first chain shown by Qualys SSL Labs is which is sent on the connection. The second chain is constructed from the CA Issuers - URI:http://r3.i.lencr.org/ URL in the leaf certificate. That is a different R3 intermediate certificate than sent on the TLS channel, it is signed by DST Root CA X3 instead of ISRG Root X1
The web site waverley.smartcitiestransport.com is using the recent non-default chain, or the older chain (I do not know, are they the same?). Many ACME clients permit the selection of the non-default chain, and yes, someone have to specifically ask for that. So your previous question is pertinent, what ACME client the user is using? Is there any special flag provided to that client? Another option is that the chain is not updated from the ACME client towards the webserver, that would be bad.
I will ask my hosting provider, which is getting the certificate for me. And I will point them at this thread which seems to have all the useful information. Thanks.
Update: I got to thinking about this more... if the provider is actually sending ISRG Root X1, it would almost certainly be the ISRG Root X1 signed by DST Root CA X3 as it would make no sense to send the self-signed root (and thus be sending the entire chain). If ISRG Root X1 is absent from the chain that is being sent then the self-signed is assumed to be trusted.
So this:
seems to imply the alternate chain (with trusted, self-signed ISRG Root X1). I may have way overexplained all this.
Updated to include a warning that the information may be incorrect and to check this page on the forum: Production Chain Changes
PRs:
As always, feel free to make a PR in our GitHub repo with these changes and ping me @jaykaypea so I can have someone from our team merge! I love having an open source website.