Telegraf complains certificate is using old root

Koenraad · August 9, 2023, 8:57am

My domain is: genea.de-brouwerij.be

I ran this command: certbot certificates

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
  Certificate Name: mailbox.de-brouwerij.be
    Serial Number: 4c57fe1ca4bb20c33dbcfc1de30a5084680
    Key Type: RSA
    Domains: cloudlaarne.de-brouwerij.be genea.de-brouwerij.be logo.de-brouwerij.be mailbox.de-brouwerij.be
    Expiry Date: 2023-11-06 21:10:51+00:00 (VALID: 89 days)
    Certificate Path: /etc/letsencrypt/live/mailbox.de-brouwerij.be/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/mailbox.de-brouwerij.be/privkey.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

My web server is (include version): apache 2.4.41

The operating system my web server runs on is (include version): ubuntu 20.04.6 LTS

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 2.6.0

I'm running telegraf to monitor the validity-time of my certificate. Since a while telegraf complains the certificate is not valid anymore. On the telegraf-forum I was told that the expired X3 root was the cause.
This is what telegraf logs :

2023-08-09T08:45:30Z D! [inputs.x509_cert] Invalid certificate 4001772137d4e942b8ee76aa3c640ab7
2023-08-09T08:45:30Z D! [inputs.x509_cert]   cert DNS names:    []
2023-08-09T08:45:30Z D! [inputs.x509_cert]   cert IP addresses: []
2023-08-09T08:45:30Z D! [inputs.x509_cert]   cert subject:      CN=ISRG Root X1,O=Internet Security Research Group,C=US
2023-08-09T08:45:30Z D! [inputs.x509_cert]   cert issuer:       CN=DST Root CA X3,O=Digital Signature Trust Co.
2023-08-09T08:45:30Z D! [inputs.x509_cert]   opts.DNSName:      
2023-08-09T08:45:30Z D! [inputs.x509_cert]   verify options:    { 0xc002784f60 <nil> 0001-01-01 00:00:00 +0000 UTC [0] 0}
2023-08-09T08:45:30Z D! [inputs.x509_cert]   verify error:      x509: certificate signed by unknown authority

A chain-checker also reports the legacy chain is used.
I searched to try to remove that X3 root, but I can't find where to configure this. All I find is that nothing has to be done. But still that X3 root appears, the cert is renewed yesterday.
Any help ?
Thanks.

9peppe · August 9, 2023, 9:03am

Here, read this:

Osiris · August 9, 2023, 9:28am

Please see the Certbot info for --preferred-chain in the User Guide — Certbot 2.6.0 documentation.

Koenraad · August 9, 2023, 11:14am

Thanks,
your links enabled me to set the preferred chain to ISRG Root X1. Now I don't see complaints in the log of telegraf anymore.
But can I also conclude from my readings that telegraf is being holier than the pope ?

Osiris · August 9, 2023, 11:52am

Could be. Doesn't necessarily need to be Telegraf itself, but e.g. the Go libraries used. Not sure about that.

MikeMcQ · August 9, 2023, 1:06pm

There is nothing wrong with the long chain that includes DST Root CA X3. In fact this forum uses a cert chain which includes that as do numerous other sites given that it is the default chain.

You might want to read this for deeper background

Koenraad · August 10, 2023, 8:22am

I got a reply that's not seen here, so I will explain what I did :
In /etc/letsencrypt/renewal/mailbox.de-brouwerij.be.conf (the config-file for my certificate) I added a line after the [renewalparams] :
preferred_chain = ISRG Root X1

Then I ran
certbot renew --force-renewal

Now my certificate uses the shorter option, and telegraf does not complain anymore.
Regarding : nothing wrong with the "old" certificate : try to convince the people from telegraf. I could not (Error in X509 certificate checking - Telegraf - InfluxData Community Forums).

MikeMcQ · August 10, 2023, 1:41pm

Well, it is probably not worth the trouble as the chain with DST Root CA X3 will be going away next year anyway so you have just made the change early.

And, plenty of other sites run with the alternate "short chain" like you do now.

The Telegraf problem is they don't recognize that the default "long chain" has two possible paths to a known CA root on your system.

Most modern clients will walk the chain, see the link to ISRG Root X1 and stop as that leads to a known root.

Other clients, like older Android, do not recognize the X1 so look at the next which is link to the DST ... X3 root. These older Android also do not check the expiry so consider this secure. There were a very large number (hundreds of millions I think) of such devices which is why Let's Encrypt provided a solution for them.

Given Let's Encrypt issues around 3 million certs per day and that this longer chain is the default I am surprised Telegraf doesn't handle it better.

But, as I noted in my lead, it's probably not worth the bother trying to improve on their messaging.

SSL Labs shows what I described above well. Path #1 is trusted by any system that knows X1. Path #2 only by clients such as older Android.

Osiris · August 10, 2023, 4:21pm

In the future, please don't manually change the renewal configuration files but use the --preferred-chain option as mentioned earlier.

system · September 9, 2023, 4:21pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.