Switching to ISRG Root X1 before 9/30

My domain is: api.leasecalcs.com

My web server is (include version): Apache 2.4

The operating system my web server runs on is (include version): Ubuntu 20

My hosting provider, if applicable, is: AWS

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.9.0

We have a client who is using the DST Root CA cert chain currently as well as our current application cert expiring on 12/19. The DST Root CA and intermediate cert are expiring on 9/30 and I understand that it will be an automated switch to ISRG Root X1.

The problem is, they need time to update certs on their end. They have told us that they downloaded and deployed the ISRG Root X1 and got a chain peer identification issue during the handshake since it didn't match the cert chain.

Is there a way to manually switch it over before 9/30? Or run some kind of command? Apologies if I misunderstand the certs entirely, I'm not super knowledgeable about these things.

1 Like

Your site is currently serving the default android-compatible chain.

$ openssl s_client -connect api.leasecalcs.com:443
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = api.leasecalcs.com
verify return:1
Certificate chain
 0 s:CN = api.leasecalcs.com
   i:C = US, O = Let's Encrypt, CN = R3
 1 s:C = US, O = Let's Encrypt, CN = R3
   i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
 2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1
   i:O = Digital Signature Trust Co., CN = DST Root CA X3

My understanding is that this should work fine for anything except clients running openssl 1.0.2 or earlier. Do you know what software your client is using to connect to your server?


Thanks for the reply! It appears they use Chrome to download the certificate manually. On the current site, it appears that is unavailable. Clicking the lock, and selecting view certificate will only give you the D3 Root. It will not give you the cert for ISRG.

Am I right in assuming that if they need a certificate to check my site against, they should download the root certs here?

Will this cause issues or should I be giving them a command to actually grab the cert.

I'm still unclear why they would be downloading a certificate at all. The point of having a publicly trusted certificate like you get from Let's Encrypt is that clients shouldn't need to explicitly trust anything. The trust should be automatic as part of their operating system or web browser.

Your hostname implies they may not be connecting to your server with a web browser though. So what software do they connect to your API with?

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.