Impending doom? - DST Root CA X3 expiry

[simon-chester]

Hi,

Hopefully, I'm worrying about nothing but...

We use Acmebot for issuing certificates for our various App Services running in Azure. Although we've been using this for a while, and certificates generally renew automatically, I've noticed that the Intermediate Certificate (R3) and Root Certificate (DST Root CA X3) both expire soon (end of Sept 2021!)

Let's Encrypt published information about this expiration some time ago. I'm concerned that the certificates that Acmebot is obtaining still rely on DST Root CA X3 (rather than the newer ISRG Root X1 cert).

Please can someone reassure me that all my web services won't fall over at the end of the month? (or, if they do, it won't be because of this!)

[shibayan]

Use Qualys SSL Labs or OpenSSL to verify the certificate chain. I have confirmed that if the root CA installed on Windows (DST Root CA X3) has not expired, the actual certificate chain will not be displayed.

openssl s_client -showcerts --connect example.com:443

The same discussion is going on with Key Vault, and it appears to be a Windows or Azure side issue.
shibayan/keyvault-acmebot#355

[simon-chester]

Hey @shibayan, Thanks for getting back to me.

In honesty, I didn't understand your point about verifying the cert chain. When I use openssl to verify the chain (on my Ubuntu box) I get what I expected - a chain of 3 certs: (1) my cert, (2) Let's Encrypt R3, and (3) DST Root CA X3. No mention of ISRG Root X1 at all.

Thanks for pointing me to the keyvault issue. It sounds like the guys there are still unusure too and are hoping it will be OK too! (I think that's what I've resolved to do as well!)

[shibayan]

This Windows behavior is a bit difficult to explain, as it is suspicious to me as well.

I have confirmed that if I change the date of my PC to after September 30 and access the App Service, it will switch to ISRG Root X1 instead of DST Root CA X3, so I don't see any problem.

[webprofusion-chrisc]

Hi, the issue is that windows builds it's own chain regardless of the PFX you store. the expiring R3 is preferred by windows because it's notBefore date is actually newer than the R3 it needs to switch to.

My preferred method to force this change is to move the expiring R3 (issued by DST Root CA X3) to Untrusted:
https://community.certifytheweb.com/t/upcoming-expiry-of-dst-root-ca-x3-and-r3-intermediate-for-lets-encrypt/1480/7

[simon-chester]

Thanks for the explanation @webprofusion-chrisc. However, the services we're talking about here are running as App Services in Azure, so I don't think your suggested method is an option for me.

[webprofusion-chrisc]

No, you are quite correct!

[shibayan]

The old R3 intermediate certificate has expired and now shows the correct certificate chain.