How do I renew this Certificate Athority

michmoor

@gpfountz
Similar method but this does work. I delete the ACME CA only.
Went into the ACME Certificates and Renew a certificate. I didn't have to renew all of them. One did the trick.

darcey

If I remember right that X1 root certificate, as well as any intermediate CAs, were not present in pfsense cert list until I generated acme certificates for the first time.
I therefore deleted the X1 root cert and regenerated certificates, thinking the process might retrieve the (possibly newer) X1 root cert. It downloaded the intermediate CA but not the root.

I don't currently use the acme certs in pfsense but instead copy the key and bundle to other hosts. The newly generated certificate bundle seems to work OK. ~~However I don't believe the X1 cert is or was ever included in the 'fullchain.pem' bundle, just the intermediate CA.~~ Wrong, scratch that.

If using acme certs for pfsense applications, was/is the X1 root cert required?

MoonKnight

I just delete mine under System/Certificate/Authorities
So far so good no problems :)

darcey

@MoonKnight
Same here. Though it would be good to understand the requirements.
First, despite the absence of X1 root cert, pf-acme package (re)grenerates certs without issue.
Second, I have compared the exported files in /conf/acme, when X1 root CA was present 'Authorities' tab and when it was not, and in both cases, none of the generated certs/bundles contained the X1 root CA.

So I am not sure what the requirement for X1 root CA is or how it came to be in pfsense certificate UI. I do understand the intermediate CA is signed by the X1 root, but things seem to operate the same without it.

There are mind ISRG_Root certs in pfsense system certs:

-r--r--r--  1 root wheel 7461 Dec  6  2023 /usr/share/certs/trusted/ISRG_Root_X1.pem

which expires 2035.
I do not know how to use openssl to determine which X1 CA signed the intermediate e.g. R10.

Popolou

Just delete the expiring X1 CA cert. It was to be withdrawn so LE ensured that any certs still using it were given an opportunity to renew against the new CA: -

On Thursday, June 6th, 2024, we will stop providing the longer cross-signed chain entirely. This is just over 90 days (the lifetime of one certificate) before the cross-sign expires, and we need to make sure subscribers have had at least one full issuance cycle to migrate off of the cross-signed chain.

If there were any cert problems as a consequence, there would have been some pretty obvious signs long before now.

Gertjan

@darcey said in How do I renew this Certificate Athority:

Second, I have compared the exported files in /conf/acme, when X1 root CA was present 'Authorities' tab and when it was not, and in both cases, none of the generated certs/bundles contained the X1 root CA.

Look at the dot fullchain file. It's the root and intermediate cert.

Another way to check : look at /var/etc/nginx-webConfigurator.conf, it's the GUI web server config file.
You find :

		ssl_certificate         /var/etc/cert.crt;

That's the same 'fullchain' with the final cert added.

AFAIK : the cert itself contains the info from what it is derived = the intermediate and root.
All systems that uses SSL/TLS have these two files, and many others, on board, as you've shown : in /usr/share/certs/trusted/ as these are just ordinary cert files, but we all agreed to 'trust' these.

When I inspect my cert fiel obtained from Letsencrypts :

openssl x509 -noout -text -in '/conf/acme/MY-CERT.crt';

It's tells me that :

Issuer: C = US, O = Let's Encrypt, CN = R10

The intermediate cert, "CN = R10" is stored is the dot ca file :

When I inspect this 'intermediate' cert file :

openssl x509 -noout -text -in '/conf/acme/MY-CERT.ca';

I get :

        Issuer: C = US, O = Internet Security Research Group, CN = ISRG Root X1

and that's the one we have here : /usr/share/certs/trusted/ISRG_Root_X1.pem

What I do think : I could remove the Letsencrypt CA and intermediate files from the System > Certificate > Authorities cert store.
As we already have them 'in the system' anyway.

darcey

@Gertjan I'm not using the generated certs anywhere in pfsense at the moment. I only copy the acme generated files to other hosts/applications. I like the pfsense certificate management gui :-)
I was (wrongly) expecting the ISRG Root X1 certificate itself to be in the exported files (/conf/acme), purely becasue it appeared in the GUI as a parent cert. i.e. 'fullchain'.
However it all works as expected and always has done. The only problem I foresee is where I use these certs in some application where this new root CA is not in the application's or client's trusted CAs. But that has not happened yet. I am still very sketchy on certificates!

Gertjan

@darcey said in How do I renew this Certificate Athority:

I foresee is where I use these certs in some application where this new root CA is not in the application's or client's trusted CAs

That's one of the less known reasons why you should upgrade your light bulb, coffee machine, watch, car, main firewall and all your pads and phones.
When upgrading, the newest list with "you should trust these" certificates will be part of the new system.
Modern OSes like FreeBSD, Debian, and whatever have these trusted certciates list in a package.
When important ones get added, or expired ones are definitely gone, the package is marked for upgrade, and end users always update / upgrade their systems, so all goes well.

@darcey said in How do I renew this Certificate Athority:

I am still very sketchy on certificates!

That's ok ^^
Be aware that the world's entire communication security is based on it, so you might as well trust it

darcey

@Gertjan I get the significance of a system's trusted root CA store. My misunderstanding here stemmed from the expression 'fullchain'. For some reason, I took it to mean all certs, in the chain, would be included in the exported files. But it is of course only the cert & any intermediate CA certs.
Regarding certificate trust chain on the application server side, AIUI that is not generally enforced. The application will be served over SSL whether or not a trust chain exists in the application or server's certificate store. It's clientside where the chain of trust is verified.
Interesting stuff which I am sure I will forget by the time I get a warning in 2035!

BobBrown

Asked GPT to summarize the conversation above.

Summary of Actions for Expiring Let's Encrypt Certificates (ISRG Root X1)

Understand the Situation:
- The ISRG Root X1 certificate is expiring, and it was previously cross-signed by another authority to build credibility.
- The self-signed ISRG Root X1 certificate should now be used as the cross-signed version is no longer necessary.
Remove Expiring Certificates:
- You cannot renew the expiring ISRG Root X1 certificate directly. Instead, remove it from the System > Certificate > Authorities section in pfSense.
Import Updated Certificates:
- Obtain the self-signed ISRG Root X1 certificate and, optionally, the ISRG Root X2 certificate in PEM format from Let’s Encrypt.
- Import these updated certificates into pfSense under System > Certificates > Authorities.
Check and Renew Other Certificates:
- If you're using ACME for managing certificates, remove the existing ACME CA entry under System > Certificate > Authorities.
- Go to the Services > ACME section and manually renew the relevant ACME certificates. This should regenerate the required certificates and possibly download the newer CA certificates automatically.
Verify the Updated Certificates:
- After importing the updated certificates or renewing the ACME certificates, verify that the services depending on these certificates are still functioning correctly and that the warning messages have disappeared.

This process ensures that you are using the latest trusted root and intermediate certificates, avoiding issues with expired certificates.

michmoor

@BobBrown lol love it.

pfpv

@BobBrown said in How do I renew this Certificate Athority:

The ISRG Root X1 certificate is expiring, and it was previously cross-signed by another authority to build credibility.

I read this thread and got confused. Why is the ISRG Root X1 certificate expiring? Letsencrypt shows "Validity: until 2030-06-04": https://letsencrypt.org/certificates/

Why do you want it in System > Certificates > Authorities? I only have the intermediates there: R10, R11, and now E6. I don't think I ever had the X1 there.

LarryFahnoe

@pfpv said in How do I renew this Certificate Athority:

Why do you want it in System > Certificates > Authorities? I only have the intermediates there: R10, R11, and now E6. I don't think I ever had the X1 there.

I agree, it is confusing. The confusion is multiplied because the X1 and X2 CA certs are already part of the OS bundle, so it should be unnecessary to install via the GUI (your situation). In my case however, I am unable to have a functional system without the X1 CA cert being manually imported. For my IPsec VPNs I use mutual certificate authentication in the P1s, and if I do not have the X1 cert imported, the tunnels will not establish. I have tried several times to tear everything down and rebuild to no avail, so I have left it as a bit of an annoying puzzle for now. At some point I will get it beaten into submission though it feels like it may take a complete rebuild from scratch which I've just not wanted to invest the time in.

--Larry

pfpv

@LarryFahnoe
OK, I understood. Do you also think that the X1 certificate is expiring soon? That was the most confusing part.

LarryFahnoe

@pfpv There was an older self-signed X1 cert that expires on Sept 30 if I recall correctly, hence some urgency for some.

BobBrown

@LarryFahnoe : "In my case however, I am unable to have a functional system without the X1 CA cert being manually imported."

Same here: I have IPSec tunnel between two data centers.

LarryFahnoe

@BobBrown to be clear, are you running into the same problem: need to have the X1 cert manually imported in order to have functioning IPsec tunnel? If so, are you also using mutual cert auth between the P1s?

--Larry

johnpoz

@BobBrown said in How do I renew this Certificate Athority:

I have IPSec tunnel between two data centers.

Why would you be using acme certs for this??

https://docs.netgate.com/pfsense/en/latest/recipes/ipsec-s2s-tls.html#ipsec-site-to-site-vpn-example-with-certificate-authentication

I mean random sites would not be creating a tunnel with you, so why would you need a public trusted cert signed by a public CA. Just create your own CAs, they could even be different CAs on each side of the tunnel. Sign your own certs, you could make them valid for a lot longer than the 90 days any certs by amce would be good for.

LarryFahnoe

@johnpoz said in How do I renew this Certificate Athority:

why would you need a public trusted cert signed by a public CA

I'm clearly not Bob, but... Why not use a publicly trusted cert? Perhaps I'm daft, but it seems to me that acme provides another potential benefit in that the certs are refreshed periodically which seems to be better than a cert that changes infrequently. I'm further inferring that Lets Encrypt has a better ability to manage their CA than I do--pfSense can be a CA, but can't very well meet the recommendation to keep your CA offline. I do not claim to be a PKI expert by any means.

Those comments aside, the puzzle I've still not worked out is why stronswan seems to require an imported X1 cert when one is already in the OS bundle. I've attempted to document some of this here https://forum.netgate.com/post/1177287

--Larry

BobBrown

@johnpoz lack of experience.
At the time of configuration I outsourced the PFSense configuration to a contractor.