ISRG Root X1 CA keeps re-appearing in Cert Manager when renewing in acme
-
Hi all,
Wondering if anyone has seen what I'm seeing with acme and the LetsEncryp CAs since the expiry of "DST Root CA X3" back in September. I haven't found any mention of it on the forums here, or general searching google, which leads me to believe it may be an issue with my config.
Followed the advice at https://forum.netgate.com/topic/166269/heads-up-dst-root-ca-x3-expiration-september-2021/1, deleted the old "ISRG Root X1" CA, then restarted HAProxy. SSLLabs and Nessus scans showed that everything went well, with no warnings.
Even with this solution in place, whenever I manually renew the certificate through acme, the expired "ISRG Root X1" CA gets re-added to the CAs list in Certificate Manager, which then results in warnings from our scans.
This is on pfsense 2.5.2, and we're using acme 0.6.10 and haproxy 0.61_3.
Any help/advice on where to check would be awesome!
-
@splodge said in ISRG Root X1 CA keeps re-appearing in Cert Manager when renewing in acme:
Followed the advice at https://forum.netgate.com/topic/166269/heads-up-dst-root-ca-x3-expiration-september-2021/1, deleted the old "ISRG Root X1" CA, then
.... then the expired root certifcate doesn't exist any more on your system.
@splodge said in ISRG Root X1 CA keeps re-appearing in Cert Manager when renewing in acme:
renew the certificate through acme, the expired "ISRG Root X1" CA gets re-added to the CAs list in Certificate Manager,
Your saying : it wasn't there but some one else ( = Letenscrypt ) gives you back the certificate that no one trusts ?
ReallyCheck this :
Locate the file
/tmp/acme/YOURACCOUNTNAMIE_IN_ACME/TOUR.DOMAINE.TLD/fullchain.cerIn this file you find 3 blocks :
-----BEGIN CERTIFICATE-----
......
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
.......
-----END CERTIFICATE-----
and root certificate :
-----BEGIN CERTIFICATE-----
MIIFYDCCBEigAwIBAgIQQAF3ITfU6UK47naqPGQKtzANBgkqhkiG9w0BAQsFADA/
......
Dfvp7OOGAN6dEOM4+qR9sdjoSYKEBpsr6GtPAQw4dy753ec5
-----END CERTIFICATE-----Go here : https://letsencrypt.org/certificates/ and load this file :
and compare the first line and last line - ar, why not, the entire block : they are the same !!!
This root certificate is valid up untilNot After : Sep 30 18:14:03 2024 GMT
You issue is probably :
The front end that is tested doesn't use the certificate (chain) that you renewed.@splodge said in ISRG Root X1 CA keeps re-appearing in Cert Manager when renewing in acme:
which then results in warnings from our scans.
Using a public 'scanner' (what do you mean by "scanning" ?) ?
What front-ned tool are you using ? => HA-proxy.
Check the HA-proxy settings : what certs it is using.edit :
SSLLabs and Nessus scans showed that everything went well
Wondering if anyone has seen what I'm seeing with acme and the LetsEncrypt
Have to ask :: what are you seeing ?