Root certificate is a new format and now I'm rate limited

daveseff · October 5, 2021, 12:35am

We use the puppet letsencrypt module on our mail server on ubuntu 16.04. We did not realize that the root cert expired. The version of certbot that is provided with ubuntu 16.04 does not support --preferred-chain "ISRG Root X1" so the system was renewing the cert using the old method. So now we're stuffed because once we realized what was happening, and that we need to renew manually with a newer certbot, we are now rate limited. So do we now have a to have a week of downtime because of this? I have certs issued now with the wrong chain. Are they useless or is there something I can do to incorporate the new root cert?

Thanks

eva2000 · October 5, 2021, 12:40am

You can temporarily use a different ACME protocol SSL cert provider like ZeroSSL via an alternate ACME compatible client like acme.sh. Some of my users find it the easiest way if you run into rate limits as ZeroSSL doesn't have a rate limit https://blog.centminmod.com/2021/10/02/2425/centmin-mod-managing-letsencrypt-dst-root-ca-x3-certificate-expiration-on-centos-7/

ZeroSSL will in theory allow somewhat older devices to still work with ZeroSSL SSL certificates as they have three CA root certificates that are likely to be in devices’ trust stores – the first two listed are in most modern browsers while the third is cross-signed to support older devices:

USERTrust RSA Certification Authority & USERTrust ECC Certification Authority root

COMODO RSA Certification Authority & COMODO ECC Certification Authority root

AAA Certificate Services root (cross-signed to support older devices)

daveseff · October 5, 2021, 12:42am

Thank you very much for this. I will look at ZeroSSL straight away.

rg305 · October 5, 2021, 3:51am

They are very much still useful (so long as you have their private keys).
Changing their chains can be done manually.
How many certs are you dealing with (having this problem)?

daveseff · October 7, 2021, 1:20am

I had to get my system back up and running. I switched to using ZeroSSL for the time being.

rg305 · October 7, 2021, 1:30am

That works too

system · November 6, 2021, 1:31am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Certbot has been configured to prefer certificate chains with issuer 'ISRG Root X1', but no chain from the CA matched this issuer. Using the default certificate chain instead Help	21	4329	February 8, 2022
Old ISRG root certificate in chain after renewal Help	10	1838	December 23, 2021
DST Root CA X3 Expiration Help	16	2768	December 12, 2021
How do we stick to IdenTrust cross-signed after September Help	5	1212	September 17, 2020
Trouble updating certbot to get the --prefered-chain command (to force ISRG Root X1) Client dev	8	1480	November 3, 2021

Root certificate is a new format and now I'm rate limited

Related topics