We're using POSH-ACME to get new 90 day certs which is working great but for some reason it's not pulling in an updated root and intermediate cert. The powershell command i'm running to get my certs is:
But when I look at the cert the only thing that is updating is our wildcard, the others show expiration 9/29. Is there a procedure someone can point me to for help in getting the newer certs?
Is the reason you're using the -AllAccounts flag because you actually have multiple accounts configured? What does the output of Get-PAAccount -List look like?
Where are you looking at the cert? In PowerShell? On the filesystem? In the Windows cert store? Posh-ACME doesn't install new certs to the Windows cert store by default unless the order has been configured to do so. It also won't work if you're not running the renewal process as admin.
This is probably the Windows R3 problem, run certlm.msc, browse to Intermediate Certificate Authorities > Certificates, find the R3 issued by DST Root CA X3, right click > properties. Check 'Disable all purposes for this certificate'. The old/expiring R3 will no longer be served by your chain (a reboot may be required to make it happen in some cases).
Actually, in testing my above advice (which is second-hand from somewhere else) I'm still seeing the wrong chain even after disabling the cert purposes and rebooting. Just delete it (and reboot) instead.