Bug #12484
closed
Unable to remove intermediate CA
0%
Description
Some client needs to remove intermediate "ISRG Root X1" CA to allow legacy clients to work,
otherwise they will get a 'CERT_HAS_EXPIRED' error
from https://community.letsencrypt.org/t/problem-with-certificate-has-expired/161013/2:
Here's the certificate chain you're serving which needs to change.
$ openssl s_client connect admin.netsign.tv:443 -servername admin.netsign.tv
CONNECTED
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = admin.netsign.tv
verify return:1
--
Certificate chain
0 s:CN = admin.netsign.tv
i:C = US, O = Let's Encrypt, CN = R3
1 s:C = US, O = Let's Encrypt, CN = R3
i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1
i:O = Digital Signature Trust Co., CN = DST Root CA X3
---
If you update that to
---
Certificate chain
0 s:/CN=<your domain here>
i:/C=US/O=Let's Encrypt/CN=R3
1 s:/C=US/O=Let's Encrypt/CN=R3
i:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
---
(i.e. just remove the cross-signed ISRG Root X1 from the chain), I suspect that your client(s) will begin to trust your server again.
You can make that change manually by editing the chain file used by your webserver. You can make the change permanently by editing the configuration of your ACME client to request the alternate chain.
sudo ./certbot certonly --apache -d ${DOMAIN} --dry-run --preferred-chain="ISRG Root X1"
seems related to #11163
Related issues
Updated by