Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Let's Encrypt change on September 30 (DST Root CA X3) #393

Open
markusfi opened this issue Jul 19, 2021 · 7 comments
Open

Let's Encrypt change on September 30 (DST Root CA X3) #393

markusfi opened this issue Jul 19, 2021 · 7 comments

Comments

@markusfi
Copy link

Hi everyone,

as you probably know the Let´s Encrypt DST Root CA X3 will expire on September 30.
https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/

I renewed my certificate today using Azure Let's Encrypt and it will expire October 17.
But the root will expire before that, and the intermediate R3 even before on September 29.

I read that I should not worry, and there are multiple chains, one chain to the expiring DST Root CA X3 and another Chain to ISRG Root X1.

If this is true, then my browser should still trust the connection on October 16, right?

So first I changed the current date of my browser to September 28.
Everything is fine on September 28.

So then I changed the current date of my browser to October 16.
That´s is fine for my certificate, but not for the root any more.

And so Chrome and Edge both are telling me the connection is not trused.
So it seems to me that I am getting into a lot of trouble and so is everyone else?

Do you know if this Let's Encrypt change is a problem in Azure Let's Encrypt?

Thanks for advance.
@sjkp
Copy link
Owner

sjkp commented Jul 24, 2021 via email

@nemesmia-gm
Copy link

Any news on this?

It might be related to the previous Issue "Server Error in '/letsencrypt' Application.
Can not find issuer 'C=US,O=(STAGING) Internet Security Research Group,CN=(STAGING) Doctored Durian Root CA X3' for certificate 'C=US,O=(STAGING) Internet Security Research Group,CN=(STAGING) Pretend Pear X1'. "

@dombarnes
Copy link

I’ve actually hit issues now with android 7.1.- and lower devices now not trusting my certificates. Not yet sure why it’s happened ahead of September.

@nemesmia-gm
Copy link

I cannot use staging at all now. When trying to install the certificate from kudu I get this error: AcmeException: Can not find issuer 'C=US,O=(STAGING) Internet Security Research Group,CN=(STAGING) Doctored Durian Root CA X3' for certificate 'C=US,O=(STAGING) Internet Security Research Group,CN=(STAGING) Pretend Pear X1'.]
Certes.Pkcs.CertificateStore.GetIssuers(Byte[] der) +429
Certes.CertificateChainExtensions.ToPem(CertificateChain certificateChain, IKey certKey) +185
LetsEncrypt.Azure.Core.Services.d__5.MoveNext() in D:\a\1\s\LetsEncrypt.SiteExtension.Core\Services\AcmeService.cs:61
.......

@henkkelder
Copy link

I also have problems with android devices. The ISRG Root X1 Certificate is missing from the chain.

@henkkelder
Copy link

I have replaced the Let's Encrypt certificate with the free app service managed certificate. Now old Android devices are working again.

I think the problem is that the ISRG Root X1 Certificate is not in the supplied certificate used in the SSL. On newer devices the missing certificate can be found in the device local certificate stores, but older Android devices do not have that cert.

@kfrancis
Copy link

kfrancis commented Sep 2, 2021

Same issue here.

@patsevanton patsevanton mentioned this issue Jul 22, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@kfrancis @markusfi @dombarnes @sjkp @henkkelder @nemesmia-gm