How do I fix this expiring ACME Certificate?
-
Hi - I'm hoping someone can help me.
Update: I did some digging and came across crt.sh. It appears that there were no recently issued certs using R3 -- It appears that E5 and E6 are being used at the moment, and I found these certs in the pfSense cert tab, so I assume these are the updates for R3.
So my revised questions are:
- Should I delete the R3 cert from pfSense to stop the warning messages?
- Is there any action I need to take? (Will ACME just keep renewing Certs just as it has done in the past.
Any guidance will be very much appreciated
O=Let's Encrypt, CN=E5, C=US Serial: 0x838F6C63CEB1398C6206628315C9FDDE Signature Digest: RSA-SHA256 KU: Digital Signature, Certificate Sign, CRL Sign EKU: TLS Web Client Authentication, TLS Web Server Authentication DN: /C=US/O=Let's Encrypt/CN=E5 Hash: 462422cf Subject Key ID: 9F:2B:5F:CF:3C:21:4F:9D:04:B7:ED:2B:2C:C4:C6:70:8B:D2:D7:0D Authority Key ID: 79:B4:59:E6:7B:B6:E5:E4:01:73:80:08:88:C8:1A:58:F6:E9:9B:6E Total Lifetime: 1094 days Lifetime Remaining: 561 days until expiration Trust Store: Excluded Valid From: Tue, 12 Mar 2024 20:00:00 -0400 Valid Until: Fri, 12 Mar 2027 18:59:59 -0500O=Let's Encrypt, CN=E6, C=US Serial: 0xB0573E9173972770DBB487CB3A452B38 Signature Digest: RSA-SHA256 KU: Digital Signature, Certificate Sign, CRL Sign EKU: TLS Web Client Authentication, TLS Web Server Authentication DN: /C=US/O=Let's Encrypt/CN=E6 Hash: 9aad238c Subject Key ID: 93:27:46:98:03:A9:51:68:8E:98:D6:C4:42:48:DB:23:BF:58:94:D2 Authority Key ID: 79:B4:59:E6:7B:B6:E5:E4:01:73:80:08:88:C8:1A:58:F6:E9:9B:6E Total Lifetime: 1094 days Lifetime Remaining: 561 days until expiration Trust Store: Excluded Valid From: Tue, 12 Mar 2024 20:00:00 -0400 Valid Until: Fri, 12 Mar 2027 18:59:59 -0500Original Post:
IIUC the certificate below is an ACME intermediate certificate associated with the ACME package used for validation during the certificate creation/renewal process.How do I renew/replace this certificate? Is there a place I can download a new CA certificate?
Any assistance would be much appreciated.
O=Let's Encrypt, CN=R3, C=US Serial: 0x912B084ACF0C18A753F6D62E25A75F5A Signature Digest: RSA-SHA256 KU: Digital Signature, Certificate Sign, CRL Sign EKU: TLS Web Client Authentication, TLS Web Server Authentication DN: /C=US/O=Let's Encrypt/CN=R3 Hash: 8d33f237 Subject Key ID: 14:2E:B3:17:B7:58:56:CB:AE:50:09:40:E6:1F:AF:9D:8B:14:C2:C6 Authority Key ID: 79:B4:59:E6:7B:B6:E5:E4:01:73:80:08:88:C8:1A:58:F6:E9:9B:6E Total Lifetime: 1837 days Lifetime Remaining: Expiring soon, in 18 days Trust Store: Excluded Valid From: Thu, 03 Sep 2020 20:00:00 -0400 Valid Until: Mon, 15 Sep 2025 12:00:00 -0400If you find my post useful, please give it a thumbs up!
pfSense 2.8.0-RELEASE -
@guardian said in How do I fix this expiring ACME Certificate?:
CN=R3
Euh, that one has been depreciated long time ago.
Read : https://letsencrypt.org/certificates/read some of these : Let's Encrypt R3 and now I'm asking myself, what is this 'R3', with a expire date of "15 Sep 2025" when the R3 I knew back then expired somewhere in 2024 ?
Do you have this R3 in your System > Certificates > Authorities ?
@guardian said in How do I fix this expiring ACME Certificate?:
Is there a place I can download a new CA certificate?
Normally, you don't need to.
If your pfSense is recent enough, you has them already. Not under "System > Certificates > Authorities" but in the FreeBSD Certificate storage folder, here /usr/share/certs/trusted/Most probably this isn't needed, but I've added manually all the current CA and intermediates , and loaded them here (under : System > Certificates > Authorities )
-
@guardian Just check to see which certificates have been issued with the now defunct/expiring CA and if it is zero (which is highly likely), then you can delete it. Any new cert renewals will still take place and the appropriate CA chain will be downloaded and installed if required. You may find you have R10 and R11 (or newer) installed through this route.
