year is coming up since all of our remote iot devices stopped working when a change was made to the letsencrypt certs.
My original problem;
Unfortunately, it looks like your ca-certificates bundle is 6 years old. This is from before ISRG
Root X1 was even created, so ISRG Root X1 is not included. That's somewhat surprising
because you said earlier that you have a fairly modern ca-certificates bundle installed:
The relatively quick fix was to go to godaddy at nearly one hundred dollars. I'll do that again if that's the only option but someone had mentioned somewhere that letsencrypt might come up with some sort of backward compatibility.
Just wondering if anything had changed or of I should just keep using GD for this since we cannot get the remote devices back to update or change anything on them.
What Operating System and Version are they?
I'm not sure what you were expecting a year later? Your IoT devices still have an ancient root certificate store (unless you've updated that store yourself..) and it's more likely you'll have more and more trouble with other root certificates too than that Let's Encrypt is suddenly going to work.
Don't you have access to the IoT devices now, since you're using the (working) GoDaddy certificate so you can perhaps update them? As you said you couldn't update them because the LE certificate wasn't working with the devices. Now that you do have a working connection due to the GD cert, can't you update the IoT devices to accept the ISRG Root X1 certificate?
I looked through what you posted, which had all the relevant info on versions and your situation. Unfortunately, there are no possible fixes to your particular situation, nor can there ever be.
The legacy devices need to be updated to at least:
- use newer trust stores (root certificates)
- use newer versions of polarssl or openssl , which support the newer logic/flags/defaults for building trust chains
- possibly other things that someone else will mention
You will need to use another Certificate Authority until you are able to update enough devices that gives you the confidence to stop supporting the rest.
Keep in mind:
- You need to select a CA that is supported in the certificate bundle serving both legacy and updated machines
- Another free ACME CA may be an option, as they have different roots
- All CA's have roots that expire. LetsEncrypt simply had one of the first large-scale root expiries. This situation is still a countdown clock. you may be able to find a CA that is still supported for your legacy devices, but it will eventually expire. Any CA you update too will expire as well. The potential support options are smaller and smaller every month.
I'm sorry you are dealing with this. This was a large oversight by the developer of the devices. They need to have a system in place for the machines in the wild to update now, and in the future. Hopefully it can be automatic, otherwise a firmware updater or similar will be needed. Without updating the devices, they will all eventually be unusable.
I read the other post. The OP is a server admin with limited knowledge in this area. They're not the developer or have any control of the devices.
I haven't read the previous post, but as you did, maybe you can answer it quicker than me reading the entire previous thread: isn't there a party which does have control/access of/to the devices? E.g., the developer?
Also, as you said, there are other free ACME CA's out there possibly compatible with the devices. If OP knows which root store is installed on the devices, they might figure out which CA is compatible.
@rmbolger has made a nice overview of free CA's here: ACME CA Comparison - Posh-ACME
Also, from that other thread (skimmed it a little bit):
OP/devs have had access to the devices for almost a year now, with the GD certificate.. So I'm failing to see the issue here.....
Also from the other thread: OP said they went with GD, because it "only took 10 minutes" even when ZeroSSL was offered as an alternative. Getting a certificate from ZeroSSL could have taken LESS than the 10 minutes it took to get an expensive GD cert... Multiple...
I'm at a loss.
From what I can tell, @Lorance is just a linux admin that is probably with a company that is hosting the backend for the devices. Based on this situation, the device developer's ability to update the devices - and competency - is questionable.
From Temp support for X1? Lost access to large number of devices - #39 by Lorance
Many devices run:
- PolarSSL/1.3.14 , which dates back to Jan 27, 2014
- they are supposed to be running openwrt ca-bundle - 20200601-1, but @jsha noticed they have a Mozilla bundle from 2015 (with a 2019 date?!?!), so X1 isn't even in it
Multiple ISRG/LetsEncrypt and Certbot Engineers - in addition to some of the best community members - tried to help in that post.
Lots of devices with lots of different trust roots. It's going to be increasingly harder to keep all of them happy. Attrition is guaranteed in every scenario, the question is finding which options will enable the largest amount of devices.
I wasn't 'expecting' anything. I was simply asking a question because SSL certs aren't my area of knowledge other than installing them.
Osiris, you didn't read the previous post because I said we do not have any access to the devices, they are all over the globe, impossible to get at. The initial versions of the firmware installed on them didn't have any possibility to update/upgrade from remote.
I went with GD because it took minutes otherwise, would have had to sign up to another service etc etc.
You're at a loss??? Why do you care so much? I got the cert and it fixed the problem at the time.
People like you in forums really suck. I have no idea AT ALL why you are spending so much time trying to chastise me over this. Just don't reply if my situation frustrates you. We all have enough stress in our lives. Give me a break.
Statistics seem to disagree:
Anyway, if Let's Encrypt is not suitable, I've linked to an overview of the currently known free ACME CA's out there in one of my previous posts. It should NOT take long to get a certificate from one of those. The post even mentions the certificate chains, so you can see which root has the longest lifetime.
I'm sorry if my posts came across chastising, but I find some decisions difficult to grasp. Understanding ones motivations for seemingly weird decisions can lead to better understanding of ones situation and thus possibly help them better. However, erratic or unlogical decisions are something I can't really deal with well
To summarize the other free CA root certs:
If what @jvanasco earlier said holds true for all the devices (i.e., running a cert bundle from 2015), the SSL.com root certificate probably won't work, as it's issued after 2015.
The root of ZeroSSL goes way back, but is only valid for 6 more years.
Best option is to go with Buypass: the root is from 2010, so chances are best it's incorporated in your devices and it's valid for 18 more years to come! See GO SSL ACME - Buypass AS for more info. Probably especially Buypass GO SSL - Endpoints - Updated 14.05.2020 - Technical Information - Buypass AS, Rate limits - Technical Information - Buypass AS and Get started - Tips, Tricks and Guides - Buypass AS.
Good thing about the Buypass ACME API too is: it doesn't require an external account which would need to be used to register the ACME account like with ZeroSSL or SSL.com! No, Buypass works just like Let's Encrypt: just fire up Certbot, use the Buypass ACME API endpoint using
--server and it just works
Thanks for the answers. I see the thread is solved, and I'm going to close it now to cool off.