(STAGING) Doctored Durian Root CA X3 is expired (breaks test environment)

@mattduguid, based on @rmbolger's analysis you would have to get the "terraform-provider-acme" developer to add this functionality to that package, or else use a different ACME client that can already do this.

Per my post above, you could also mention this in the other thread to make the Let's Encrypt staff aware of some unintended impacts from their changes to the staging environment, although I think there's no likelihood that those changes will be reverted in the short term!


if thats the case then currently staging certificates are broken for us for us in azure and we can only use production which brings in issues with rates limits, in terms of raising this as a RFE for the acme provider is there any technical guidance on how to select the alternative chain I can supply them

1 Like

It's akin to the --preferred-chain option in the Certbot and acme.sh clients:

The ACME protocol mechanism for this is called the "alternate" link relation:

Client implementers who want more information about this can also come to this forum and post a question in the "Client Dev" category, and they'll get a lot of help and advice!


As noted up-thread the expired root is intentional and production will eventually offer a similiar default chain. Now is the best time to learn this and work with your client developers to get alternate chains working so you can select a different one in Production when Let's Encrypt changes the default.

We should probably start a new thread to discuss the use case for uploading Staging certs. It's not recommended to use them in your trust store:

Important: Do not add the staging root or intermediate to a trust store that you use for ordinary browsing or other activities, since they are not audited or held to the same standards as our production roots, and so are not safe to use for anything other than testing.


This statement is incorrect. The staging certificates are not broken, your client is broken and/or limited in functionality.

Although this is annoying, you should be relieved that you are discovering this against the Staging system, long before this is rolled out into the Production system.

In my experience, the vast majority of ACME clients are either poorly written, do not implement the spec correctly, or both. The staging change, while inconvenient, is surfacing many of this issues for people.

If LetsEncrypt were to revert any of these changes, it would not solve any problems, it will exacerbate them - allowing your team to accrue increasing amounts of Technical Debt.

As others said, you have two correct paths forward:

  1. Work with your client's author to make their code function correctly.
  2. Select a new client.

Going beyond what @schoen said, while the ACME spec provides for alternate links, it is up to the client developers what to do with them. A very-safe option is to download/process all the alternate links and save them to disk. The more popular option is to allow clients to specify the preferred chain, and only save that one to disk.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.