Wrong/expired intermediate ca(s) and root ca for staging env

lperry · July 31, 2025, 6:18pm

The intermediate ca downloaded from the AIA url is expired. This happens to staging LE cert. For production, it works normally.

Normally, before this week, the chains looks good. But from this week, the ca downlaoded from ths url is expired.

 Alternative Name:
      URL=http://stg-x1.i.lencr.org/

lperry · July 31, 2025, 6:30pm

MikeMcQ · July 31, 2025, 7:34pm

Welcome @lperry

I moved your post to a different category. Just seemed better than Site Feedback which is for requests to improve the website.

I can readily recreate what you describe. I can't say I have ever chased the AIA for Staging certs like this so I'll accept your word that it worked correctly before.

Having the Doctored Durian Root CA X3 show up anywhere seems wrong.

For others, I recreated it by issuing a new staging cert today. Its leaf AIA points to the expected intermediate (Pseudo Plum E5 in my case).

Looking up that E5 intermediate shows the AIA as you describe. And, the E5 intermediate shows Issued by: Issuer: C=US, O=(STAGING) Internet Security Research Group, CN=(STAGING) Pretend Pear X1 which seems normal.

Retrieving the E5 AIA gets the below. I realize this repeats what you say I just think the Doctored Durian issuer is worth adding to the thread

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            ed:5d:5b:c9:6d:fb:df:4d:3e:cd:6a:49:8d:d1:b3:c7
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = US, O = (STAGING) Internet Security Research Group, CN = (STAGING) Doctored Durian Root CA X3
        Validity
            Not Before: Jan 20 19:14:03 2021 GMT
            Not After : Sep 30 18:14:03 2024 GMT
        Subject: C = US, O = (STAGING) Internet Security Research Group, CN = (STAGING) Pretend Pear X1

Osiris · July 31, 2025, 7:41pm

I can confirm.

Looks like somehow http://stg-x1.i.lencr.org/ is currently serving some older version of the chain.

mcpherrinm · July 31, 2025, 7:47pm

We'll take a look.

lperry · July 31, 2025, 9:15pm

Thanks @MikeMcQ for looking into this issue. To be accurate, I use R10/R11 since I use RSA cert. Nevermind, your E5 Pretend Pear X1 also got expired.

lperry · July 31, 2025, 9:16pm

Thanks @mcpherrinm for follow up

mcpherrinm · August 1, 2025, 6:09pm

stg-x1.i.lencr.org has been updated with the self-signed Pretend Pear X1

        Issuer: C=US, O=(STAGING) Internet Security Research Group, CN=(STAGING) Pretend Pear X1

lperry · August 1, 2025, 9:02pm

Appreciate the great help! It works now.

Cheers
Perry

system · August 31, 2025, 9:02pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Getting expired Root certificate(Doctorian Durian Root CA X3) for staging Help	2	837	September 24, 2022
(STAGING) Doctored Durian Root CA X3 is expired (breaks test environment) Help	25	9719	April 4, 2021
New issuer for letsencrypt staging Help	9	5612	March 22, 2021
Staging Hierarchy Changes API Announcements	3	4129	February 26, 2021
New staging certs Help	14	1907	July 11, 2024

Wrong/expired intermediate ca(s) and root ca for staging env

Related topics