Charles,
Thanks. My initial response was "I don't think so."....
I have both the R3 intermediate and the ISRG Root X1 CA root certificate
in my IBM i CA certs certificate store. The dates are valid. The
certificates I get from Letsencrypt when I renew are the "bundle" which
include the intermediate and the root. The decoder I used to check the
certs show that they have valid dates (the root took a while to validate).
But then, I decided to take a closer look at what LetsEncrypt was saying
about the expiration. The issue is that the ISRG Root X1 (CA Root in
this case) was signed by *another* root, (DST Root CA X3) It's THAT root
that expired. LetEncrypt goes on to say "Oh, that won't be a problem
because the ISRG Root X1 is trusted by most browsers" Well, somewhere
down the chain, there was no trust. To further complicate matters, LE
continues to issue certs that reference the ISRG Root X1 that is signed
by DST Root CA X3. ARRRGH! So I manually changed the ISRG Root X1 to
the new one that is self signed, as most CA roots are, and "Bob's your
uncle"...
Certificate chains always make my head hurt...In this case, I had
imported the ISRG Root X1 that IS self-signed into the CA certificate
store on IBM i. It was the pem file with the "bad" certificate chain
that was buggering the works.
Thanks for forcing me to challenge my own assumptions.
Pete Helgren
www.petesworkshop.com
GIAC Secure Software Programmer-Java
AWS Certified Cloud Practitioner
Microsoft Certified: Azure Fundamentals
Twitter - Sys_i_Geek IBM_i_Geek
On 10/1/2021 10:17 AM, Charles Wilt wrote:
Pete,
Any chance this is part of the problem?
https://www.zdnet.com/article/fortinet-shopify-others-report-issues-after-root-ca-certificate-from-lets-encrypt-expires/
Charles
As an Amazon Associate we earn from qualifying purchases.