Notice that using pip as the installation method is not the recommended method for most Linux distributions. While it could have been the only way for @onmeac to update their certbot, please refer to https://certbot.eff.org/ to check the recommended installation method for your distribution/OS.
For sure, thank you. Definitely something we'll need to consider doing. I didn't realize our version was that far behind what's current.
Also a tad bit hesitant to update as I didn't write the automation and scripting we have set up so we'll definitely need to do a bunch of testing to make sure it doesn't break our current setup. But this is probably something we should do regardless.
I have exactly the same issue than @onmeac :
I ran certbot renew --force-renewal --preferred-chain "ISRG Root X1",
in /etc/letsencrypt/renewal/<domain>.conf I have preferred_chain = ISRG Root X1 and version = 1.20.0, but despite this my cert.pem still depends on R3.
I'm checking the certificate by running the following command openssl s_client -servername mydomain.ca -showcerts -connect mydomain.ca:443, and I still have depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1 verify return:1 depth=1 C = US, O = Let's Encrypt, CN = R3 verify return:1 depth=0 CN = mydomain.ca
Does someone have an idea of how to fix this ?
I tried the use of certbot installed by pip3 (after stopping any services listening op ports 80/443), as @onmeac did, but it didn't fix the issue.
Your chain is the expected one if you specify `preferred_chain = ISRG Root X1`.
The R3 intermediate is always the issuer for all Let's Encrypt certificates. If you used the long chain, you would also be serving a path that refers to the expired DST Root CA X3. Since you specified the preferred chain, you are not serving that path and your server's suggested trust path chains up to ISRG Root X1, via R3, like all other current Let's Encrypt certificates.
Sorry, I mistook what you were saying about your openssl output.
Can you tell us your real domain? And what's in your fullchain.pem file? You didn't copy chain.pem elsewhere or hard-code a reference to a particular version of it or anything, right?
This is a regular output for OpenSSL chaining up to the ISRG Root X1 certificate. For example, if I connect to acme-v02.api.letsencrypt.org, whhich is also using the "short chain", my OpenSSL outputs:
CONNECTED(00000003)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = acme-v01.api.letsencrypt.org
verify return:1
---
Certificate chain
0 s:CN = acme-v01.api.letsencrypt.org
i:C = US, O = Let's Encrypt, CN = R3
1 s:C = US, O = Let's Encrypt, CN = R3
i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
---
So from that first output you can only see to which cert the chain is being build. But with the output just below that, you can see the chain send by the server.
Maybe indeed. The first part of the OpenSSL output is just like when viewing the cert chain in a browser: it's showing which chain is being build. The second part is more interesting. For example, this is my OpenSSL output for the long chain:
CONNECTED(00000003)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = lencr.org
verify return:1
---
Certificate chain
0 s:CN = lencr.org
i:C = US, O = Let's Encrypt, CN = R3
1 s:C = US, O = Let's Encrypt, CN = R3
i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1
i:O = Digital Signature Trust Co., CN = DST Root CA X3
---
Notice that the chain send by the server is different (bottom part), but the top part, the chain actually build, is identical to the short chain above! (Besides the hostname of the site of course..) That's because my OpenSSL (1.1.1) will terminate the chain at ISRG Root X1, even with the long chain being send by the server. Just like most browsers.
The real domain is explogroup.ca
I have the certificates in the same folder than my express server. After renewing the certificates I delete the old ones and copy the new ones from /etc/letsencrypt/live/explogroup.ca
The fullchain.pem is the following :
Oh sorry, I forgot to write that I'm currently trying to use fullchain.pem insteand of cert.pem
About what you wrote yesterday @Osiris , it seems that https://www.lencr.org is working for me, but not https://www.explogroup.ca. By "not working", I mean with Safari on my Macbook I have an issue "This connection is not Private"
Thanks! So, your site is currently correctly sending the short chain as you requested to, and your certificate configuration is valid. Are you having some compatibility or validation problems that are still concerning you?
With Safari (version 14.1.2) on my Macbook Pro (macOS Bis Sur version 11.6) I still have the "This connection is not private" issue.
The trouble is that probably several of the visitors of the website will have the issue.
I was wondering if there is a way to fix this
www.lencr.org sends the long chain. www.explogroup.ca is using the short chain. Have you tried using the long chain? Was there a reason you needed to use the short chain?