Want to subscribe to topics you're interested in?
Become a Member

SSL Letsencrypt Expiring of cross-sign of the Let's Encrypt root certificate ISRG Root X1

Discussion in 'Domains, DNS, Email & SSL Certificates' started by happyhacking, Mar 11, 2024.

  1. happyhacking

    happyhacking Member

    111
    18
    18
    Apr 23, 2021
    Ratings:
    +61
    Local Time:
    12:59 AM
    1.22.0
    MariadDB 10.4.25
    Due to the planned 2024 changes in the chain of trust of Let's Encrypt certificates, starting from Thursday, February 8th, 2024, Let’s Encrypt by default will stop providing certificates with the root certificate that is cross-signed by the DST Root CA X3 certificate - see the page Shortening the Let's Encrypt Chain of Trust for details.


    This is done because the cross-sign of the Let's Encrypt root certificate ISRG Root X1 by the DST Root CA X3 which was done for the backwards compatibility reasons will expire on Monday, September 30th, 2024.


    Would this have any effect on SSL certificates for Centminmod servers ?

    Thanks in advance.
     
  2. eva2000

    eva2000 Administrator Staff Member

    54,547
    12,221
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,790
    Local Time:
    4:59 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Thanks for the heads up reminder on this! Centmin Mod Nginx HTTPS uses Letsencrypt by default (since Oct 1, 2021) with addons/acmetool.sh responsible for Nginx HTTPS Letsencrypt SSL issuance and the addons/acmetool.sh by default is configured with ACME_PREFERRED_CHAIN=' --preferred-chain "ISRG"' variable which tells Letsencrypt to issue free Letsencrypt SSL certificates for Centmin Mod Nginx using the recommended shorter chain = ISRG Root X1 as outlined at https://letsencrypt.org/2023/07/10/cross-sign-expiration.html. Updated my blog post at https://blog.centminmod.com/2021/10...rtificate-expiration-on-centos-7/#finalexpiry as well :)

    The ACME_PREFERRED_CHAIN value of ISRG was setup in addons/acmetool.sh according to Github blame mode view Blaming centminmod/addons/acmetool.sh at 130.00beta01 · centminmod/centminmod ~3yrs 5 months ago in commit update acmetool.sh 1.0.76 · centminmod/centminmod@ff0a819. This means any Centmin Mod Nginx HTTPS site created with default addons/acmetool.sh since Oct 1, 2021 would now be using the recommended and suggested short chain to ISRG Root X1 certificate outlined at https://letsencrypt.org/2023/07/10/cross-sign-expiration.html.

    The only Centmin Mod Nginx HTTPS users who would be impacted by the changes in , would be folks that deliberately overrode the addons/acmetool.sh default by setting in persistent config file /etc/centminmod/custom_config.inc as per Preferred Chain the following: ACME_PREFERRED_CHAIN=' --preferred-chain "DST Root CA X3"' to prefer using the longer and DST Root CA X3 which is no longer issued since Feb 8, 2024. To reverse this, just remove from persistent config file /etc/centminmod/custom_config.inc the ACME_PREFERRED_CHAIN=' --preferred-chain "DST Root CA X3"' variable that you deliberately set and then reissue all Centmin Mod Nginx issued SSL certificates using the Centmin Mod/acmetool.sh/acme.sh setup cronjob command:
    Code (Text):
    /root/.acme.sh/acme.sh --upgrade
    /root/.acme.sh/acme.sh --set-default-chain --preferred-chain "ISRG" --server letsencrypt
    /root/.acme.sh/acme.sh --renewAll --force
    

    Or if you just want to reissue a specific domain's Letsencrypt SSL certification, you can on Centmin Mod 124.00stable or 130.00beta01, update your local code via cmupdate command and then reissue your Letsencrypt SSL certificate for your domains using the new default shorter chain ISRG Root X1 via SSH command line using acmeotool.sh addon wrapper script. Replace yourdomain.com with your Centmin Mod Nginx site’s domain name or subdomain name. The reissue-only option will only touch your existing Centmin Mod Nginx site’s SSL certificate configuration leaving the rest of your Nginx HTTPS vhost configuration intact.

    Code (Text):
    cmupdate
    /usr/local/src/centminmod/addons/acmetool.sh reissue-only yourdomain.com live


    Once reissuing the updated shorter chain for your domain, you can check it with SSLLabs testing tool to inspect the available certificate chain paths that common applications take.

    Using shorter preferred chain ISRG Root X1 certificate by default since Oct 1, 2021 for Centmin Mod Nginx HTTPS Letsencrypt SSL certificates meant older Android/client devices wouldn't have been able to visit your Centmin Mod Nginx HTTPS site as outlined in my blog post at https://blog.centminmod.com/2021/10...oot-ca-x3-certificate-expiration-on-centos-7/ and would of been greeted with errors like
    That is why some folks would of manually overrode the preferred shorter chain to longer DST Root CA X3 certificates which had extended expiry until September 30, 2024. But Letsencrypt stopped issuing such longer DST Root CA X3 certificates since Feb 8, 2024. So you would of last month started to get failed Letsencrypt SSL certificate issuances if you had manually overrode the Acme Preferred chain and by September 2024, experience older browser/client/OS visitors to your sites complaining that they can't access it due to their older devices seeing the longer DST Root CA X3 certificates as expired by then.

    As per my blog post at https://blog.centminmod.com/2021/10...oot-ca-x3-certificate-expiration-on-centos-7/, a full list of older devices which may be impacted are listed here and include:

    Switching to ZeroSSL SSL Certificates



    Now if you still have site visitors to Centmin Mod Nginx HTTPS site using these older devices, then you option is to switch Centmin Mod Nginx HTTPS default Letsencrypt SSL certificate provider to ZeroSSL SSL certificate provider as outlined at https://blog.centminmod.com/2021/10...zerossl-free-ssl-certificates-on-centmin-mod/. ZeroSSL SSL certificates uses AAA Certificate Services root which is cross-signed to support older devices like:
    • Apple iOS 3.
    • Apple macOS 10.4.
    • Google Android 2.3.
    • Mozilla Firefox 1.
    • Oracle Java JRE 1.5.0_08.
    An interesting non-Centmin Mod note is that cPanel control panel’s own cPanel CA issued SSL certificates also use Comodo/Sectigo CA and have the very same cross-signed AAA Certificate Services root certificate as an alternative SSL chain path too.

    Cloudflare SSL Certificates



    Similarly, if you need these older devices visitors to be able to access your Centmin Mod Nginx HTTPS site and you use Cloudflare and their free SSL certificates issue a Letsencrypt SSL certificate, you want to upgrade to Cloudflare Advance Certificate Management $10/month Introducing: Advanced Certificate Manager to be able to choose your SSL provider and select Google Trust Services CA SSL certificates as outlined at https://blog.centminmod.com/2021/10...ertificate-expiration-on-centos-7/#cloudflare. Google Trust Services CA SSL certificates uses the GTS Root R1 Cross cross-signed certificate to maintain older browser and device compatibility. The GTS Root R1 Cross was cross-signed by GlobalSign Root CA – R1 which was created on September 1, 1998 and expires on January 28, 2028 and is found in many older devices and browsers CA Trust stores due to it’s age and validity since 1998. So folks have another 3yrs and 10 months before it is a concern again for very old browser and legacy devices.