Renewed Certificate has failed intermediate

My existing Lets Encrypt SSL on my Icewarp installation renewed as expected, however it started being rejected (it's been in use for over a year now) because the TLS certificate is not trusted: Let's Encrypt Authority X3, Issuer DST ROOT CA X3. It is and always has been an automated process - Is there anything I can do to replace this intermediate certificate? Everything else passes and is good.
The certificate IN icewarp has green checkmark and expiry May 2021.

My domain is:mail.mcspowermail.com

The operating system my web server runs on is (include version): Windows Server 2008 R2

I can login to a root shell on my machine (yes or no, or I don't know):yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):no

1 Like

That's not the currently used intermediate. Currently, certs are signed by "R3". See Chain of Trust - Let's Encrypt - Free SSL/TLS Certificates for more info. Sounds like your intermediate is hardcoded, which is a bad thing to do. The intermediate should be updated whenever the certificate is renewed to the actual signing intermediate.

In any case, I don't have experience with Windows Server, so I'm not the guy to ask how to fix this I'm afraid.

3 Likes

Thank you for the verification. That is exactly the issue.
It's an automated process which has never previously has an issue so I don't know how to change the intermediate.

Thanks anyway. I appreciate it. I guess the developer will have to advise me.

2 Likes

Welcome to the Let's Encrypt Community :slightly_smiling_face:

This is specifically the intermediate certificate that's needed:

https://letsencrypt.org/certs/lets-encrypt-r3-cross-signed.pem

2 Likes

Which developer? Is "Icewarp" also an ACME client?

1 Like

I have been told by the developers of Icewarp that they are using Acme v2.

1 Like

Thank you very much for this. Greatly appreciated.

2 Likes

ACMEv2 is just the name of one out of two possible ACME server endpoints currently served by Let's Encrypt, where the v1 endpoint uses an earlier version of the ACME protocol and is being phased out and v2 is the current RFC 8555 version of the ACME protocol. It's not the name of the ACME client used. But they could be running their own "in-house" build client in stead of an "off the shelf" client.

In any case, they should fix whatever client is used to use the correct intermediate.

2 Likes

Thank you again for your time and explanation.
At this point, we are waiting on their response.

2 Likes

Make sure that when your developers fix it, they have it use the ACME protocol to get the intermediate from the ACME server each time they get a certificate. Intermediates can change at any time so the only way to be sure you're getting the certificate chain (which will likely involve more than one certificate in the future) that signs the certificate they're getting is to retrieve it as part of the certificate download process.

3 Likes

Hi gkyle001, is there any new information for this issue?

Unfortunately, no. The developers have not given a definitive answer, so we had to switch to a commercial certificate. Still no update.

Your current commercial certificate uses three intermediate certificates.

Howcome you're able to install those certificates, but not the single intermediate from Let's Encrypt? :confused:

2 Likes

Perhaps I could have if I knew more about it. There was pressure from higher up to have it fixed as quickly as possible.
The program allows you to choose between 3rd party certificates, self signed or Lets Encrypt. If you choose LE, everything is automated. Other than defining the domain there are no other steps and no interaction.
The commercial certificate gives me the time to look more closely at the LE certificates.

Can you install any "random" certificate at the "3rd party certificates" option? For example, the commercial certificate you got now, did you install it by uploading the certificate and intermediates to the control panel? Or how should I see that option?

I would assume so. I generate a CSR in the program I'm using, then input that CSR in the SSL vendor's system which then generates the certificates.

And how did you manage to get those certificates into your Icewarp server?

It's a process where you go back to the generated CSR in Icewarp, double click that and it will ask for the location of the certificate files that you have been generated and uploaded from the vendor.

Ah, I see, so it has an upload feature.

Well, hate to say it, but there are plenty of ACME clients which can use a CSR as input to get a Let's Encrypt certificate.. Only you had asked.

1 Like

While I certainly truly do appreciate all of the feedback and support, I was under pressure to have the SSL in place immediately. The LE version had been running and updating itself for almost a year without issue on software that has been running for several years before that with commercial certificates.
I had no say in the software, or any option to replace it at this time, and no reason to believe that the renewal would suddenly fail and "all I had to do was ask" for an alternative to something I am not in any position to change.

Thank you again to Osiris and all others who offered their input. I certainly do now have a clearer understanding of the situation and feel more comfortable in dealing with it.