I still run some stuff on an old Ubuntu machine that I, for various reasons, cannot update. Each time the Letsencypt certificate is updated I must go to the fullchain.pem and delete the last portion, the last cert, which is the expired root. Doing so does not seem to harm anything and stuff starts w…

[image] Long (default) and Short (alternate) Certificate Chains Explained Issuance Policy I… [image] Extending Android Device Compatibility for Let's Encrypt Certificates - ... Update, May 13, 2021 Please visit [this post] (https://community.letsencrypt.or…

Thanks. I was checking https://certbot.eff.org/ for instructions, but there are none. Maybe there should be? What are the values for --prefered-chain ?

[image] stefanve: What are the values for --prefered-chain ? --prefered-chain "ISRG Root X1" for a chain ending with ISRG Root X1, and --prefered-chain "DST Root CA X3" for a chain ending in the (expired) DST Root CA X3 (default). The first one is the short chain. For reference: User Guide —…

[image] Nummer378: For reference: User Guide — Certbot 1.21.0 documentation (though that doesn't list the actual values used by Let's Encrypt). The latter part is logical: while certbot might be primarily Let's Encrypt orientated, there are a few other ACME servers available. So it doesn't ma…

@Osiris I tend to disagree here; it requires more than just thinking. You would have to at least know which certs to pick from. (not common knowledge/spelling and can change at any moment - updated lists, or links, should be provided therein)

[image] rg305: @Osiris I tend to disagree here; it requires more than just thinking. You would have to at least know which certs to pick from. From the certbot documentation for --preferred-chain: prefer the chain whose topmost certificate was issued from this Subject Common Name. From P…

I don't know exactly where you found your documentation... But https://eff-certbot.readthedocs.io/en/stable/using.html Says only: [image] And even with your added info, putting the pieces together isn't rocket science [true]. But finding all the pieces can be challenging. Your own words: […

[image] rg305: I don't know exactly where you found your documentation... I literally copied it from the text in your screenshot. [image] rg305: So the current certbot docs make it difficult to find info for LE certs and completely exclude info on any other servers. It's not the task …

Not found anywhere on that page: [image] Osiris: ISRG Root X1, signed by DST Root CA X3 R3, signed by ISRG Root X1

No, because that's from the other link about the longer chain, not the certbot documentation. You've got to combine the two.

[image] Osiris: It's not the task of the client to endulge into that information A missed opportunity :frowning:

Why do Letsencrypt still add the expired root cert?

Issuance Tech

Nummer378 November 30, 2021, 5:03pm 2

Also note that we do not recommend fiddling with certificate chains manually. If you have a specific need to use the short chain, you should configure your ACME client to download this chain instead of deleting certificates manually. If you're running certbot 1.12 or higher, you can for example use the '--prefered-chain option to do this.

Topic		Replies	Views
--preferred-chain not taking effect Help	36	10626	December 17, 2021
Public Poll: Which should be the default certificate chain issued by Let's Encrypt? Issuance Policy	15	2740	November 15, 2021
Shortening the Let's Encrypt Chain of Trust Help	12	1026	March 16, 2024
Certificate chain names Help	28	1855	December 27, 2023
Questions regarding "Shortening the Let's Encrypt Chain of Trust" Help	92	8150	June 10, 2024

Why do Letsencrypt still add the expired root cert?

Related topics