My existing Lets Encrypt SSL on my Icewarp installation renewed as expected, however it started being rejected (it's been in use for over a year now) because the TLS certificate is not trusted: Let's Encrypt Authority X3, Issuer DST ROOT CA X3. It is and always has been an automated process - Is there anything I can do to replace this intermediate certificate? Everything else passes and is good.
The certificate IN icewarp has green checkmark and expiry May 2021.
My domain is:mail.mcspowermail.com
The operating system my web server runs on is (include version): Windows Server 2008 R2
I can login to a root shell on my machine (yes or no, or I don't know):yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):no
That's not the currently used intermediate. Currently, certs are signed by "R3". See Chain of Trust - Let's Encrypt for more info. Sounds like your intermediate is hardcoded, which is a bad thing to do. The intermediate should be updated whenever the certificate is renewed to the actual signing intermediate.
In any case, I don't have experience with Windows Server, so I'm not the guy to ask how to fix this I'm afraid.
Thank you for the verification. That is exactly the issue.
It's an automated process which has never previously has an issue so I don't know how to change the intermediate.
Thanks anyway. I appreciate it. I guess the developer will have to advise me.
ACMEv2 is just the name of one out of two possible ACME server endpoints currently served by Let's Encrypt, where the v1 endpoint uses an earlier version of the ACME protocol and is being phased out and v2 is the current RFC 8555 version of the ACME protocol. It's not the name of the ACME client used. But they could be running their own "in-house" build client in stead of an "off the shelf" client.
In any case, they should fix whatever client is used to use the correct intermediate.
Make sure that when your developers fix it, they have it use the ACME protocol to get the intermediate from the ACME server each time they get a certificate. Intermediates can change at any time so the only way to be sure you're getting the certificate chain (which will likely involve more than one certificate in the future) that signs the certificate they're getting is to retrieve it as part of the certificate download process.
Perhaps I could have if I knew more about it. There was pressure from higher up to have it fixed as quickly as possible.
The program allows you to choose between 3rd party certificates, self signed or Lets Encrypt. If you choose LE, everything is automated. Other than defining the domain there are no other steps and no interaction.
The commercial certificate gives me the time to look more closely at the LE certificates.
Can you install any "random" certificate at the "3rd party certificates" option? For example, the commercial certificate you got now, did you install it by uploading the certificate and intermediates to the control panel? Or how should I see that option?
It's a process where you go back to the generated CSR in Icewarp, double click that and it will ask for the location of the certificate files that you have been generated and uploaded from the vendor.
While I certainly truly do appreciate all of the feedback and support, I was under pressure to have the SSL in place immediately. The LE version had been running and updating itself for almost a year without issue on software that has been running for several years before that with commercial certificates.
I had no say in the software, or any option to replace it at this time, and no reason to believe that the renewal would suddenly fail and "all I had to do was ask" for an alternative to something I am not in any position to change.
Thank you again to Osiris and all others who offered their input. I certainly do now have a clearer understanding of the situation and feel more comfortable in dealing with it.
