starred/dehydrated
1
0
Fork 0
mirror of https://github.com/dehydrated-io/dehydrated.git synced 2026-01-11 22:30:44 +01:00
Code Issues 79 Packages Projects Releases 10 Wiki Activity

invalid cert chain with old "DST ROOT" cert -> change default behavior #557

New Issue
Closed
opened 2025-12-29 01:27:11 +01:00 by adam · 2 comments
adam commented 2025-12-29 01:27:11 +01:00
Owner
Copy Link

Originally created by @TuxCoder on GitHub (Nov 15, 2021).

I accounted today a problem on a client from a user, it showed invalid cert.
After a bit debugging it showed me a invalid chain.

The reason is, that openssl does not lookup alternative routes, like a browser does.
so the old chain:
[DST ROOT] -> [ISRG Root X1 alt] -> [....]

is not valid any more, as [DST ROOT] is run out (valid until 30. Sep. [0])

I could fix this by changing to the new chain with the config parameter:

PREFERRED_CHAIN="ISRG Root X1"

This is using the new direct route over the system installed [ISRG ROOT X1]
[ISRG Root X1 new] -> [....]

I don't know why letsencrypt still sends by default the old one, or some script bug.

So now I come to my request.
Can this be the default value?
It makes for me much more sense. But I don't know how many devices, still don't have the new ISRG ROOT X1 root cert
and if they also get an error?!

Best Regards
TuxCoder

[0] https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/

ref:
https://github.com/dehydrated-io/dehydrated/issues/843
https://github.com/dehydrated-io/dehydrated/issues/842

Some certs:

new ISRG ROOT:
https://censys.io/certificates/96bcec06264976f37460779acf28c5a7cfe8a3c0aae11a8ffcee05c0bddf08c6

old ISRG Intermediate:
https://censys.io/certificates/5aa5dc59b8a73e9e35fe626ad5244e72fc54adf7c1a13cca5e622bb86b8d99e2

Originally created by @TuxCoder on GitHub (Nov 15, 2021). I accounted today a problem on a client from a user, it showed invalid cert. After a bit debugging it showed me a invalid chain. The reason is, that openssl does not lookup alternative routes, like a browser does. so the old chain: [DST ROOT] -> [ISRG Root X1 alt] -> [....] is not valid any more, as [DST ROOT] is run out (valid until 30. Sep. [0]) I could fix this by changing to the new chain with the config parameter: ``` PREFERRED_CHAIN="ISRG Root X1" ``` This is using the new direct route over the system installed [ISRG ROOT X1] [ISRG Root X1 new] -> [....] I don't know why letsencrypt still sends by default the old one, or some script bug. So now I come to my request. Can this be the default value? It makes for me much more sense. But I don't know how many devices, still don't have the new ISRG ROOT X1 root cert and if they also get an error?! Best Regards TuxCoder [0] https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/ ref: https://github.com/dehydrated-io/dehydrated/issues/843 https://github.com/dehydrated-io/dehydrated/issues/842 Some certs: new ISRG ROOT: https://censys.io/certificates/96bcec06264976f37460779acf28c5a7cfe8a3c0aae11a8ffcee05c0bddf08c6 old ISRG Intermediate: https://censys.io/certificates/5aa5dc59b8a73e9e35fe626ad5244e72fc54adf7c1a13cca5e622bb86b8d99e2
adam closed this issue 2025-12-29 01:27:12 +01:00
adam commented 2025-12-29 01:27:16 +01:00
Author
Owner
Copy Link

@jobe1986 commented on GitHub (Nov 15, 2021):

I don't know why letsencrypt still sends by default the old one, or some script bug.

This is a choice made by Let's Encrypt. If I remember correctly it was something to do with continuing to support older Android versions. Howver this causes problems for older OpenSSL library versions (1.0.1 and earlier) which fail the verification as a result.

@jobe1986 commented on GitHub (Nov 15, 2021): > I don't know why letsencrypt still sends by default the old one, or some script bug. This is a choice made by Let's Encrypt. If I remember correctly it was something to do with continuing to support older Android versions. Howver this causes problems for older OpenSSL library versions (1.0.1 and earlier) which fail the verification as a result.
adam commented 2025-12-29 01:27:17 +01:00
Author
Owner
Copy Link

@TuxCoder commented on GitHub (Nov 15, 2021):

@jobe1986 thanks I over read that part in my own link,....

I get also strange verification return codes on newer openssl version, but they succeed in the end.

Ok openssl v1.0 is already so old, time goes by, ...
Will recommend my user to update, thanks!

@TuxCoder commented on GitHub (Nov 15, 2021): @jobe1986 thanks I over read that part in my own link,.... I get also strange verification return codes on newer openssl version, but they succeed in the end. Ok openssl v1.0 is already so old, time goes by, ... Will recommend my user to update, thanks!
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
Complicated
bug
enhancement
help wanted
pull-request
Mirrored from GitHub Pull Request
 suggestions wanted
testing
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
adam
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/dehydrated#557
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?