Let's encrypt CA expired

johnpoz · Oct 2, 2024, 4:15 PM

@emc My understanding is you could in theory just delete all of those, and next time you run acme if it needs a CA it would just install it.. Or maybe on a reinstall of the package..

But I wouldn't worry too much, but yeah you can delete that expired CA, you can see on the right there you don't have any certs under that CA being used.

jrey · Oct 2, 2024, 4:31 PM

@emc

Wait aren't there 3 certs listed against that expired certificate.
I thought it would auto renew as well, but never seemed to.

Here is what I did,

https://forum.netgate.com/topic/189674/certificate-updated-ca-r11-still-pointing-to-isrg-root-x1?_=1727886203715

and the certificates that where under my expired one immediately move to the new certificate
then I deleted the old one.

johnpoz · Oct 2, 2024, 4:35 PM

@jrey said in Let's encrypt CA expired:

Wait aren't there 3 certs listed against that expired certificate.

where are you seeing that?

login-to-view

I don't see anything.. I see HAProxy using one under that top R3 that expires in sept 2025

edit.. Oh the 3 there, but they are currently not listed as IN USE.. Maybe he has some old certs too?

emc · Oct 2, 2024, 4:43 PM

@jrey Is the PEM certificate that I highlighted in the first screenshot the correct one (Certificate details (self-signed))?

Gertjan · Oct 2, 2024, 4:54 PM

@emc

Under CA, right ?

login-to-view

You can ditch (expired Letsencrypt CA's) them.
If you want the new ones, as these are from Letsecnrypt, do your shopping here :
Chains of Trust

Get the two CAs : ISRG Root X1 (if you are a RSA guy) and ISRG Root X2 if you want to go all ECDSA.

Same thing for the Subordinate (Intermediate) CAs
Get all the E5/E6 and R10/R11.

said that : I really guess none of them are really needed to be loaded into the pfSense cert store.
I'll have to test that : wipe them all, then renew a cert with acme.sh. I'm pretty sure everything keeps on working just fine.

If things go wrong : yell at me, and get your config backup back in ;)
I still have to do this test

Right now, I see this :

login-to-view

as my current certs are based upon :

login-to-view

jrey · Oct 2, 2024, 5:31 PM

@johnpoz said in Let's encrypt CA expired:

Oh the 3 there, but they are currently not listed as IN USE..

The "3" would be number of "Certificates" that are chained up to that CA

So for example I have a 1 the In Use column is empty on the CA screen and then under Certificates there is 1 that references CA and on that screen the In Use column shows what is using it.

My self signed CA for VPN - the CA shows 2 and under the "Certificates" there are 2 certificates that reference it.

On my CA list the one with a 2 does not have anything in the "In Use" column either.
login-to-view

But on the Certificates pages there are 2 "In use" that reference the above CA
they also both have values "In Use" on that screen

login-to-view

So on the certificates screen he likely has 3 certificates referencing that CA.
We don't know if they are in use or not because we don't see that screen.

In fact I have 3 CA (none have an In Use Value) in the certificates column they total 4 and on the Certificates screen there are well 4 certificates - 1 is not in use (field empty) but it still chains up to a CA - the other 3 all have In use values. 2 of those are the VPN.

jrey · Oct 2, 2024, 7:38 PM

@emc said in Let's encrypt CA expired:

Is the PEM certificate that I highlighted in the first screenshot the correct one (Certificate details (self-signed))?

Yes

make a backup of the config ..

https://letsencrypt.org/certificates/

just need the pem from that line

johnpoz · Oct 2, 2024, 8:13 PM

@jrey little reason to back them up to be honest.. So I had 3 acme CAs, I deleted them all, and renewed couple of certs I had.. The CAs auto got added back

login-to-view

jrey · Oct 2, 2024, 10:11 PM

@johnpoz

Interesting - I wonder if is has something to do with:

your first screen capture the CA's are E5 E6 R3

also notice that your R3 shown in the first CA screen capture isn't in the second screen capture - assume that is after you deleted and renewed and you are showing they came back. (the 2 highlighted)

but at the same time the ones that most people are inquiring about with the "problem" are those where on CA the CN = X1 on the authority.

now @Gertjan in his screen capture is showing both X1 X2 R10 and R11
and that X1 is current 2035 expiry
but only the X1 and R10 are chained on that screen. (count 1 each)

in my case it is the X1 and R11 the other 2 don't exist.

in the op's case he has an R3 not used, and R10 not used
and an expired X1 and valid R11.

So maybe the X1 renewal is the issue. I just did it manually and it's fine. I guess we could experiment more - but it works so ...

johnpoz · Oct 2, 2024, 10:21 PM

@jrey its doesn't need cas you don't have off of... My point was just delete them if they are expired.. And CAs that acme needs to renew your certs will just get added back anyway.