Bug #12484
closedUnable to remove intermediate CA
0%
Description
Some client needs to remove intermediate "ISRG Root X1" CA to allow legacy clients to work,
otherwise they will get a 'CERT_HAS_EXPIRED' error
from https://community.letsencrypt.org/t/problem-with-certificate-has-expired/161013/2:
Here's the certificate chain you're serving which needs to change.
$ openssl s_client connect admin.netsign.tv:443 -servername admin.netsign.tv
CONNECTED
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = admin.netsign.tv
verify return:1
--
Certificate chain
0 s:CN = admin.netsign.tv
i:C = US, O = Let's Encrypt, CN = R3
1 s:C = US, O = Let's Encrypt, CN = R3
i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1
i:O = Digital Signature Trust Co., CN = DST Root CA X3
---
If you update that to
---
Certificate chain
0 s:/CN=<your domain here>
i:/C=US/O=Let's Encrypt/CN=R3
1 s:/C=US/O=Let's Encrypt/CN=R3
i:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
---
(i.e. just remove the cross-signed ISRG Root X1 from the chain), I suspect that your client(s) will begin to trust your server again.
You can make that change manually by editing the chain file used by your webserver. You can make the change permanently by editing the configuration of your ACME client to request the alternate chain.
sudo ./certbot certonly --apache -d ${DOMAIN} --dry-run --preferred-chain="ISRG Root X1"
seems related to #11163
Related issues
Updated by Jim Pingle about 3 years ago
- Status changed from New to Duplicate
It's the same as the other linked issue. Adding that feature will solve this problem as the user could choose the other preferred chain in the GUI once that is implemented.
Updated by Jim Pingle about 3 years ago
- Is duplicate of Feature #11163: Preferred Chain option added