Hi Guys,
On Production Environment we are getting this error:
Can not find issuer 'C=US,O=Internet Security Research Group,CN=ISRG Root X1' for certificate 'C=US,O=Let's Encrypt,CN=R3'. This started happen from 9th November. Is this related to some change on lets Encrypt side?
Thanks in Advance
Are you by chance also using Azure App Services as in this post?
I am indeed sir.
Just started 3 days ago.
How are you doing the certificate renewal?
Multiple distinct people reporting the same issue that all happen to be using Azure App Service suggests the change that is causing the problem was made on the Azure side of things.
Folks here might be able to help try diagnosing some things. But it would probably also be wise to open a support ticket with Azure about it.
To be clear, I don't personally use Azure App Service. I'm just a volunteer lurker on these forums trying to help.
I made a change to production 4 days ago on the 9th that changed the ordering of part of a configuration, which led to this. It just rolled back in Staging.
My apologies.
Did it inadvertently start serving the short chain as the default? Because that's what it looks like based on a cert I just grabbed from Prod.
Yes, that chain got sorted first.
sounds like this could explain LE Staging primary and alternate chains (for RSA keys) seemingly being swapped for the past few days?
primary chain returned for LE Staging certificate renewed on 04 November (and previous):
Certificate:
subject: {b'CN': b'www.appoptimization.com'}
issuer: {b'C': b'US', b'O': b"(STAGING) Let's Encrypt", b'CN': b'(STAGING) Artificial Apricot R3'}
serialNumber: faaaca547b9e13170b2407496f667c9aa4be
version: 2
notBefore: 2023-11-04 20:49:26
notAfter: 2024-02-02 20:49:25
Certificate:
subject: {b'C': b'US', b'O': b"(STAGING) Let's Encrypt", b'CN': b'(STAGING) Artificial Apricot R3'}
issuer: {b'C': b'US', b'O': b'(STAGING) Internet Security Research Group', b'CN': b'(STAGING) Pretend Pear X1'}
serialNumber: 4df42b95d1ee9b3a4c2eb33b8d105dd6
version: 2
notBefore: 2020-09-04 00:00:00
notAfter: 2025-09-15 16:00:00
Certificate:
subject: {b'C': b'US', b'O': b'(STAGING) Internet Security Research Group', b'CN': b'(STAGING) Pretend Pear X1'}
issuer: {b'C': b'US', b'O': b'(STAGING) Internet Security Research Group', b'CN': b'(STAGING) Doctored Durian Root CA X3'}
serialNumber: ed5d5bc96dfbdf4d3ecd6a498dd1b3c7
version: 2
notBefore: 2021-01-20 19:14:03
notAfter: 2024-09-30 18:14:03
primary chain returned for LE Staging certificate renewed on 08 November (and thereafter):
Certificate:
subject: {b'CN': b'www.appoptimization.com'}
issuer: {b'C': b'US', b'O': b"(STAGING) Let's Encrypt", b'CN': b'(STAGING) Artificial Apricot R3'}
serialNumber: fa076365b2b4080b8ce83022113ecebc6e52
version: 2
notBefore: 2023-11-08 20:52:26
notAfter: 2024-02-06 20:52:25
Certificate:
subject: {b'C': b'US', b'O': b"(STAGING) Let's Encrypt", b'CN': b'(STAGING) Artificial Apricot R3'}
issuer: {b'C': b'US', b'O': b'(STAGING) Internet Security Research Group', b'CN': b'(STAGING) Pretend Pear X1'}
serialNumber: 4df42b95d1ee9b3a4c2eb33b8d105dd6
version: 2
notBefore: 2020-09-04 00:00:00
notAfter: 2025-09-15 16:00:00
Right, this change spent some days in staging (where it swapped it until this morning) before it went to production.
Hi, can I ask when production will be fixed so I can re-run the renewal on affected sites?
Many thanks,
Rob
The change has finished rolling out now.
If you renew your certificate now (or simply re-download the existing certificate) it should come with the chain that you expect.
That said, this is related to our announcement from July: the short chain you got this time will become the default in Feb 2024, and and longer compatibility chain you expected will go away entirely in June 2024. If you truly need the longer chain to support users on Android 7.0 or below, then you will need to configure your client to request the alternate chain before Feb, and you will need to find some other solution (e.g. encouraging your users to upgrade) before June.
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.