Testing upcoming changes on Feb 8th using Certes library

Hello all,
I faced problems issueing certificates mid November 2023 as mentioned in this thread
https://community.letsencrypt.org/t/production-environment-we-are-getting-exception-when-processing-orders/208263 and did also receive the error message 'Can not find issuer 'C=US,O=Internet Security Research Group,CN=ISRG Root X1' for certificate 'C=US,O=Let's Encrypt,CN=R3'.

After code inspection (which was written by a previous member in our organization) I did update the certes library to version 3.0.4 (https://github.com/fszlin/certes), however I am not sure if I need to take further steps to avoid facing an issue on Feb 8th. Is there a possibility to test this before Feb 8th? Or would one of you nice people know if this library version update is sufficient? I did set the preferred chain parameter to "ISRG Root X1" on the certes generate call as well.

Many thanks in advance!

I'm not familiar with certes specifically, but if you're already using the chain rooted in ISRG Root X1 then I'd expect that you'd be all set. All that will be changing in February is which chain is the default.

Set your preferred issuer to ISRG Root X1 in the code and you will get the newer chain, that will prove it all works. The preferred issuer is set in certes when you download the cert. certes/src/Certes/Acme/IOrderContext.cs at main · fszlin/certes · GitHub

I have checked the code in question. There is no call to the certes download method as the certificate is fetched when calling the certes generate method, where I can also specify the preferred chain. Do you know if this is sufficient? Many thanks for your help.

Yes, obviously you should test independently to your production systems but the preferredChain argument in Generate is then passed through to the Download method:

Thank you.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.