starred/dehydrated
1
0
Fork 0
mirror of https://github.com/dehydrated-io/dehydrated.git synced 2026-03-03 22:50:02 +01:00
Code Issues 79 Packages Projects Releases 10 Wiki Activity

dehydrated issues certificate chains leading to expired root #556

New Issue
Open
opened 2025-12-29 01:27:11 +01:00 by adam · 7 comments
adam commented 2025-12-29 01:27:11 +01:00
Owner
Copy Link

Originally created by @minfrin on GitHub (Nov 15, 2021).

Letsencrypt's root expired on 21 September:

https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/

I have discovered a machine that is having letsencrypt certs be renewed, but the chain provided by dehydrated is providing the old cert chain that points at the expired cert.

Systems using old openssl (CentOS7 and below) then break in all sorts of ways.

To fix this, make sure the chain doesn't lead to an expired cert.

Originally created by @minfrin on GitHub (Nov 15, 2021). Letsencrypt's root expired on 21 September: https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/ I have discovered a machine that is having letsencrypt certs be renewed, but the chain provided by dehydrated is providing the old cert chain that points at the expired cert. Systems using old openssl (CentOS7 and below) then break in all sorts of ways. To fix this, make sure the chain doesn't lead to an expired cert.
adam commented 2025-12-29 01:27:12 +01:00
Author
Owner
Copy Link

@jobe1986 commented on GitHub (Nov 15, 2021):

The chain is supplied by Let's Encrypt not dehydrated. dehydrated simply downloads the default chain Let's Encrypt supplies.

You can select the alternative (short) chain using PREFERRED_CHAIN="ISRG Root X1" in your config file

@jobe1986 commented on GitHub (Nov 15, 2021): The chain is supplied by Let's Encrypt not dehydrated. dehydrated simply downloads the default chain Let's Encrypt supplies. You can select the alternative (short) chain using `PREFERRED_CHAIN="ISRG Root X1"` in your config file
adam commented 2025-12-29 01:27:16 +01:00
Author
Owner
Copy Link

@AgentOak commented on GitHub (Nov 15, 2021):

This is the expected behavior as per Lets Encrypt's own documentation, and the very article you linked explains why.

@AgentOak commented on GitHub (Nov 15, 2021): This is the expected behavior as per Lets Encrypt's own documentation, and the very article you linked explains why.
adam commented 2025-12-29 01:27:16 +01:00
Author
Owner
Copy Link

@minfrin commented on GitHub (Nov 15, 2021):

The chain is supplied by Let's Encrypt not dehydrated. dehydrated simply downloads the default chain Let's Encrypt supplies.

You can select the alternative (short) chain using PREFERRED_CHAIN="ISRG Root X1" in your config file

Alas, no luck.

[root@chestnut ~]# dehydrated -x -c
# INFO: Using main config file /etc/dehydrated/config
# INFO: Using additional config file /etc/dehydrated/conf.d/local.sh
Processing redwax.eu
 + Checking domain name(s) of existing cert... unchanged.
 + Checking expire date of existing cert...
 + Valid till Feb  5 07:35:21 2022 GMT (Longer than 30 days). Ignoring because renew was forced!
 + Signing domains...
 + Generating signing request...
 + Requesting new certificate order from CA...
 + Received 1 authorizations URLs from the CA
 + Handling authorization for redwax.eu
 + 1 pending challenge(s)
 + Deploying challenge tokens...
 + Responding to challenge for redwax.eu authorization...
 + Challenge is valid!
 + Cleaning challenge tokens...
 + Requesting certificate...
ERROR: Alternative chain with CN = ISRG Root X1 not found, available options: issuer= /O=Digital Signature Trust Co./CN=DST Root CA X3, issuer= /C=US/O=Internet Security Research Group/CN=ISRG Root X1

Unfortunately the error message doesn't contain quotes around the values, so it's not clear where the values start and end, or whether they include the "issuer=".

@minfrin commented on GitHub (Nov 15, 2021): > The chain is supplied by Let's Encrypt not dehydrated. dehydrated simply downloads the default chain Let's Encrypt supplies. > > You can select the alternative (short) chain using `PREFERRED_CHAIN="ISRG Root X1"` in your config file Alas, no luck. ``` [root@chestnut ~]# dehydrated -x -c # INFO: Using main config file /etc/dehydrated/config # INFO: Using additional config file /etc/dehydrated/conf.d/local.sh Processing redwax.eu + Checking domain name(s) of existing cert... unchanged. + Checking expire date of existing cert... + Valid till Feb 5 07:35:21 2022 GMT (Longer than 30 days). Ignoring because renew was forced! + Signing domains... + Generating signing request... + Requesting new certificate order from CA... + Received 1 authorizations URLs from the CA + Handling authorization for redwax.eu + 1 pending challenge(s) + Deploying challenge tokens... + Responding to challenge for redwax.eu authorization... + Challenge is valid! + Cleaning challenge tokens... + Requesting certificate... ERROR: Alternative chain with CN = ISRG Root X1 not found, available options: issuer= /O=Digital Signature Trust Co./CN=DST Root CA X3, issuer= /C=US/O=Internet Security Research Group/CN=ISRG Root X1 ``` Unfortunately the error message doesn't contain quotes around the values, so it's not clear where the values start and end, or whether they include the "issuer=".
adam commented 2025-12-29 01:27:17 +01:00
Author
Owner
Copy Link

@lukas2511 commented on GitHub (Nov 16, 2021):

I'm guessing you are on the latest release-version of dehydrated? Can you please check if the latest version from master branch works for you? There already should be a fix for the CN extraction (29b67962ac).

Other than that what others already reported is correct, dehydrated doesn't generate or actively selects the chain. It uses the default chain pushed by the CA unless given instructions to use a different one.

@lukas2511 commented on GitHub (Nov 16, 2021): I'm guessing you are on the latest release-version of dehydrated? Can you please check if the latest version from master branch works for you? There already should be a fix for the CN extraction (29b67962ac07d5d2b24f69c863a9ef31e8ac53ee). Other than that what others already reported is correct, dehydrated doesn't generate or actively selects the chain. It uses the default chain pushed by the CA unless given instructions to use a different one.
adam commented 2025-12-29 01:27:17 +01:00
Author
Owner
Copy Link

@mnik247 commented on GitHub (Nov 30, 2021):

The chain is supplied by Let's Encrypt not dehydrated. dehydrated simply downloads the default chain Let's Encrypt supplies.
You can select the alternative (short) chain using PREFERRED_CHAIN="ISRG Root X1" in your config file

Alas, no luck.

[root@chestnut ~]# dehydrated -x -c
# INFO: Using main config file /etc/dehydrated/config
# INFO: Using additional config file /etc/dehydrated/conf.d/local.sh
Processing redwax.eu
 + Checking domain name(s) of existing cert... unchanged.
 + Checking expire date of existing cert...
 + Valid till Feb  5 07:35:21 2022 GMT (Longer than 30 days). Ignoring because renew was forced!
 + Signing domains...
 + Generating signing request...
 + Requesting new certificate order from CA...
 + Received 1 authorizations URLs from the CA
 + Handling authorization for redwax.eu
 + 1 pending challenge(s)
 + Deploying challenge tokens...
 + Responding to challenge for redwax.eu authorization...
 + Challenge is valid!
 + Cleaning challenge tokens...
 + Requesting certificate...
ERROR: Alternative chain with CN = ISRG Root X1 not found, available options: issuer= /O=Digital Signature Trust Co./CN=DST Root CA X3, issuer= /C=US/O=Internet Security Research Group/CN=ISRG Root X1

Unfortunately the error message doesn't contain quotes around the values, so it's not clear where the values start and end, or whether they include the "issuer=".

or try
PREFERRED_CHAIN="issuer= /C=US/O=Internet Security Research Group/CN=ISRG Root X1"

@mnik247 commented on GitHub (Nov 30, 2021): > > The chain is supplied by Let's Encrypt not dehydrated. dehydrated simply downloads the default chain Let's Encrypt supplies. > > You can select the alternative (short) chain using `PREFERRED_CHAIN="ISRG Root X1"` in your config file > > Alas, no luck. > > ``` > [root@chestnut ~]# dehydrated -x -c > # INFO: Using main config file /etc/dehydrated/config > # INFO: Using additional config file /etc/dehydrated/conf.d/local.sh > Processing redwax.eu > + Checking domain name(s) of existing cert... unchanged. > + Checking expire date of existing cert... > + Valid till Feb 5 07:35:21 2022 GMT (Longer than 30 days). Ignoring because renew was forced! > + Signing domains... > + Generating signing request... > + Requesting new certificate order from CA... > + Received 1 authorizations URLs from the CA > + Handling authorization for redwax.eu > + 1 pending challenge(s) > + Deploying challenge tokens... > + Responding to challenge for redwax.eu authorization... > + Challenge is valid! > + Cleaning challenge tokens... > + Requesting certificate... > ERROR: Alternative chain with CN = ISRG Root X1 not found, available options: issuer= /O=Digital Signature Trust Co./CN=DST Root CA X3, issuer= /C=US/O=Internet Security Research Group/CN=ISRG Root X1 > ``` > > Unfortunately the error message doesn't contain quotes around the values, so it's not clear where the values start and end, or whether they include the "issuer=". or try PREFERRED_CHAIN="issuer= /C=US/O=Internet Security Research Group/CN=ISRG Root X1"
adam commented 2025-12-29 01:27:18 +01:00
Author
Owner
Copy Link

@loopiv commented on GitHub (Feb 2, 2022):

Just wanted to add another data point. On CentOS 7 (EL7) systems with dehydrated version 0.7.0 (release-version), I need to use the long version of the chain. On Oracle Linux 8 (EL8) with same dehydrated version, I need to use the short preferred chain string.

Kind of related - any chance of a new release version soon(ish)? In our environment, we usually need to use released versions. That may help with the above for consistency.

@loopiv commented on GitHub (Feb 2, 2022): Just wanted to add another data point. On CentOS 7 (EL7) systems with dehydrated version 0.7.0 (release-version), I need to use the long version of the chain. On Oracle Linux 8 (EL8) with same dehydrated version, I need to use the short preferred chain string. Kind of related - any chance of a new release version soon(ish)? In our environment, we usually need to use released versions. That may help with the above for consistency.
adam commented 2025-12-29 01:27:18 +01:00
Author
Owner
Copy Link

@sigprof commented on GitHub (Sep 26, 2023):

Apparently dehydrated version 0.7.1 had been released, and it fixes this problem on CentOS 7 (PREFERRED_CHAIN="ISRG Root X1" works, while it did not with dehydrated 0.7.0); there is even a new enough dehydrated-0.7.1-1.el7 package in EPEL. So I suppose that this issue can be closed as fixed.

@sigprof commented on GitHub (Sep 26, 2023): Apparently dehydrated version 0.7.1 had been released, and it fixes this problem on CentOS 7 (`PREFERRED_CHAIN="ISRG Root X1"` works, while it did not with dehydrated 0.7.0); there is even a new enough `dehydrated-0.7.1-1.el7` package in EPEL. So I suppose that this issue can be closed as fixed.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
Complicated
bug
enhancement
help wanted
pull-request
Mirrored from GitHub Pull Request
 suggestions wanted
testing
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
adam
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/dehydrated#556
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?