2021-09-30
Seeing the expiry of the old LetsEncrypt chain happen 2 weeks ago
The 'moment of truth' for LetsEncrypt: the end of the validity of the root certificate that was used to kickstart LetsEncrypt before they got their own root certificate in (most) certificate stores. I notice openssl is still showing the old chain (but not the expired intermediate):--- Certificate chain 0 s:CN = koos.idefix.net i:C = US, O = Let's Encrypt, CN = R3 1 s:C = US, O = Let's Encrypt, CN = R3 i:C = US, O = Internet Security Research Group, CN = ISRG Root X1 2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1 i:O = Digital Signature Trust Co., CN = DST Root CA X3 ---Which is interesting as the ISRG Root X1 is also in the root store. But it's also cross-signed to the DST Root CA. Checking the verification steps (and not the chain as given out by the server) gives the new path already:depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1 verify return:1 depth=1 C = US, O = Let's Encrypt, CN = R3 verify return:1 depth=0 CN = koos.idefix.net verify return:1This is a subtle but important difference. Only hours left until the DST Root expires:$ openssl x509 -in DST_Root_CA_X3.crt -noout -enddate notAfter=Sep 30 14:01:15 2021 GMTIf services break after 14:01:15 GMT (UTC) today you're not working according to best practices (replacing the certificate chain with every certificate replacement) or you have old clients. Slight update: I requested a new LetsEncrypt certificate for a service after 14:01:15 GMT (UTC) and it still has the certificate chain with cross-certification to DST Root CA X3:--- Certificate chain 0 s:CN = koos.idefix.net i:C = US, O = Let's Encrypt, CN = R3 1 s:C = US, O = Let's Encrypt, CN = R3 i:C = US, O = Internet Security Research Group, CN = ISRG Root X1 2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1 i:O = Digital Signature Trust Co., CN = DST Root CA X3 ---The verification steps are as above.