My domain is:
We use the puppet letsencrypt module on our mail server on ubuntu 16.04. We did not realize that the root cert expired. The version of certbot that is provided with ubuntu 16.04 does not support --preferred-chain "ISRG Root X1" so the system was renewing the cert using the old method. So now we're stuffed because once we realized what was happening, and that we need to renew manually with a newer certbot, we are now rate limited. So do we now have a to have a week of downtime because of this? I have certs issued now with the wrong chain. Are they useless or is there something I can do to incorporate the new root cert?
You can temporarily use a different ACME protocol SSL cert provider like ZeroSSL via an alternate ACME compatible client like acme.sh. Some of my users find it the easiest way if you run into rate limits as ZeroSSL doesn't have a rate limit https://blog.centminmod.com/2021/10/02/2425/centmin-mod-managing-letsencrypt-dst-root-ca-x3-certificate-expiration-on-centos-7/
ZeroSSL will in theory allow somewhat older devices to still work with ZeroSSL SSL certificates as they have three CA root certificates that are likely to be in devices’ trust stores – the first two listed are in most modern browsers while the third is cross-signed to support older devices:
- USERTrust RSA Certification Authority & USERTrust ECC Certification Authority root
- COMODO RSA Certification Authority & COMODO ECC Certification Authority root
- AAA Certificate Services root (cross-signed to support older devices)
Thank you very much for this. I will look at ZeroSSL straight away.
They are very much still useful (so long as you have their private keys).
Changing their chains can be done manually.
How many certs are you dealing with (having this problem)?
I had to get my system back up and running. I switched to using ZeroSSL for the time being.
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.