Project

General

Profile

Actions

Bug #12484

closed

Unable to remove intermediate CA

Added by Viktor Gurov 3 months ago. Updated 3 months ago.

Status:
Duplicate
Priority:
Normal
Assignee:
-
Category:
ACME
Target version:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Affected Version:
Affected Plus Version:
Affected Architecture:

Description

Some client needs to remove intermediate "ISRG Root X1" CA to allow legacy clients to work,
otherwise they will get a 'CERT_HAS_EXPIRED' error

from https://community.letsencrypt.org/t/problem-with-certificate-has-expired/161013/2:

Here's the certificate chain you're serving which needs to change.

$ openssl s_client connect admin.netsign.tv:443 -servername admin.netsign.tv
CONNECTED
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = admin.netsign.tv
verify return:1
--

Certificate chain
0 s:CN = admin.netsign.tv
i:C = US, O = Let's Encrypt, CN = R3
1 s:C = US, O = Let's Encrypt, CN = R3
i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1
i:O = Digital Signature Trust Co., CN = DST Root CA X3
---
If you update that to

---
Certificate chain
0 s:/CN=<your domain here>
i:/C=US/O=Let's Encrypt/CN=R3
1 s:/C=US/O=Let's Encrypt/CN=R3
i:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
---
(i.e. just remove the cross-signed ISRG Root X1 from the chain), I suspect that your client(s) will begin to trust your server again.

You can make that change manually by editing the chain file used by your webserver. You can make the change permanently by editing the configuration of your ACME client to request the alternate chain.

sudo ./certbot certonly --apache -d ${DOMAIN} --dry-run --preferred-chain="ISRG Root X1"

seems related to #11163


Related issues

Is duplicate of Feature #11163: Preferred Chain optionPull Request Review12/15/2020

Actions
Actions #1

Updated by Jim Pingle 3 months ago

  • Status changed from New to Duplicate

It's the same as the other linked issue. Adding that feature will solve this problem as the user could choose the other preferred chain in the GUI once that is implemented.

Actions #2

Updated by Jim Pingle 3 months ago

Actions

Also available in: Atom PDF