Shortening the Let's Encrypt Chain of Trust

manuel121 · February 14, 2024, 6:32am

Hello All,

It looks like renewing a certificate provides the shorter chain since Feb 8, 2024.

On Thursday, Feb 8th, 2024, we stopped providing the cross-sign by default in requests made to our /acme/certificate API endpoint. For most Subscribers, this means that your ACME client will configure a chain which terminates at ISRG Root X1, and your webserver will begin providing this shorter chain in all TLS handshakes. The longer chain, terminating at the soon-to-expire cross-sign, will still be available as an alternate chain which you can configure your client to request.

In line with this, is it still possible to request the longer chain and how to do it? I may have misundertood this statement -> "The longer chain, terminating at the soon-to-expire cross-sign, will still be available as an alternate chain which you can configure your client to request."

Thank you.

Best regards,
JB

orangepizza · February 14, 2024, 6:46am

well I shoudl ask what client you are using, but after few months that option goes away too, so you'd better prepared to adapt to short chain or move to other certificate authority

Osiris · February 14, 2024, 7:10am

Yes, for now.

Please see your ACME clients documentation.

manuel121 · February 14, 2024, 7:40am

We are using certbot. Can you point me to the correct path on how to do it? I am using this command to renew the cert.

certbot certonly --manual -d --server https://acme-v02.api.letsencrypt.org/directory

mcpherrinm · February 14, 2024, 8:01am

--preferred-chain "DST Root CA X3"

Docs for command line flags for certbot are in User Guide — Certbot 2.10.0.dev0 documentation which has the details

manuel121 · February 14, 2024, 8:20am

Thanks for the reply. Tried your suggestion, but getting an error. I do apologize as I am not an expert on this area. I hope you can help me further.

root@hostname:~# certbot certonly --manual -d hostname.com --server https://acme-v02.api.letsencrypt.org/directory --preferred-chain "DST Root CA X3"
usage:
certbot [SUBCOMMAND] [options] [-d DOMAIN] [-d DOMAIN] ...

Certbot can obtain and install HTTPS/TLS/SSL certificates. By default,
it will attempt to use a webserver both for obtaining and installing the
certificate.
certbot: error: unrecognized arguments: --preferred-chain DST Root CA X3

mcpherrinm · February 14, 2024, 9:06am

What version of certbot are you running?

manuel121 · February 14, 2024, 10:36am

Hello,

Currently certbot 0.27.0

root@hostname:~# certbot --version
certbot 0.27.0
root@hostname:~# sudo apt install --only-upgrade certbot
Reading package lists... Done
Building dependency tree
Reading state information... Done
certbot is already the newest version (0.27.0-1~ubuntu18.04.2).
The following packages were automatically installed and are no longer required:
linux-azure-4.15-cloud-tools-4.15.0-1112 linux-azure-4.15-cloud-tools-4.15.0-1113 linux-azure-4.15-headers-4.15.0-1112 linux-azure-4.15-tools-4.15.0-1112 linux-azure-4.15-tools-4.15.0-1113 linux-azure-5.4-cloud-tools-5.4.0-1080
linux-azure-5.4-cloud-tools-5.4.0-1083 linux-azure-5.4-cloud-tools-5.4.0-1085 linux-azure-5.4-cloud-tools-5.4.0-1086 linux-azure-5.4-cloud-tools-5.4.0-1089 linux-azure-5.4-cloud-tools-5.4.0-1090
linux-azure-5.4-cloud-tools-5.4.0-1091 linux-azure-5.4-headers-5.4.0-1080 linux-azure-5.4-headers-5.4.0-1083 linux-azure-5.4-headers-5.4.0-1085 linux-azure-5.4-headers-5.4.0-1086 linux-azure-5.4-headers-5.4.0-1089
linux-azure-5.4-headers-5.4.0-1090 linux-azure-5.4-headers-5.4.0-1091 linux-azure-5.4-tools-5.4.0-1080 linux-azure-5.4-tools-5.4.0-1083 linux-azure-5.4-tools-5.4.0-1085 linux-azure-5.4-tools-5.4.0-1086
linux-azure-5.4-tools-5.4.0-1089 linux-azure-5.4-tools-5.4.0-1090 linux-azure-5.4-tools-5.4.0-1091 linux-azure-headers-4.15.0-1023 linux-azure-tools-4.15.0-1023 python3-ndg-httpsclient
Use 'sudo apt autoremove' to remove them.
0 upgraded, 0 newly installed, 0 to remove and 179 not upgraded.

orangepizza · February 14, 2024, 11:15am

you need at least 1.23 for that flag:

manuel121 · February 14, 2024, 11:54am

Thank you very much.

I was able to upgrade certbot and renew the certificate using parameter --preferred-chain DST Root CA X3.

aarongable · February 14, 2024, 3:04pm

Awesome, glad that worked for you!

Just remember, the DST Root CA X3 chain will go away entirely -- i.e. it won't be selectable using the --preferred-chain flag -- on June 6th. So you'll want to ensure that you don't need that root anymore by that time.

jcjones · February 15, 2024, 3:20pm

7 posts were split to a new topic: Pageload Times Increased after DST Root X1 / Shortening Change

system · March 16, 2024, 3:21pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Questions regarding "Shortening the Let's Encrypt Chain of Trust" Help	92	6820	June 10, 2024
Shortening the Let's Encrypt Chain of Trust API Announcements	9	8195	September 30, 2024
How to opt into short chain? Issuance Tech	24	1306	February 4, 2024
Use shorter alternative chain better for letsencrypt API itself Feature Requests	4	1471	October 31, 2021
Extend cross-signed by IdenTrust’s DST Root CA X3 signed certs Help	14	655	May 18, 2024

Shortening the Let's Encrypt Chain of Trust

Related topics