Let's encrypt CA expired
-
- Can the "external" expired cert be deleted or will this break things?
- If I decide to import the new pem file from Let's encrypt, can you explain how to do it exactly and do all certs in this page need to be replaced or just this one?
I had installed ACME package, I currently have two certificates and two private keys under the "ACME" section.
Under System/Certificate Manager/CAs I have four certificates
The second one has expired.
I searched on other posts, and it seems like you cannot renew that CA from pfSense directly but instead you have to go to Let's encrypt and download the self signed PEM from this page (According to this post https://forum.netgate.com/topic/189937/how-do-i-renew-this-certificate-athority/16): https://letsencrypt.org/certificates/
On other posts I've read that it can simply be deleted as it's no longer needed.
Either way, the expiration for the other CAs are coming eventually and importing files will need to happen.Thank you everyone for your help in advanced!
-
@emc My understanding is you could in theory just delete all of those, and next time you run acme if it needs a CA it would just install it.. Or maybe on a reinstall of the package..
But I wouldn't worry too much, but yeah you can delete that expired CA, you can see on the right there you don't have any certs under that CA being used.
-
Wait aren't there 3 certs listed against that expired certificate.
I thought it would auto renew as well, but never seemed to.Here is what I did,
https://forum.netgate.com/topic/189674/certificate-updated-ca-r11-still-pointing-to-isrg-root-x1?_=1727886203715
and the certificates that where under my expired one immediately move to the new certificate
then I deleted the old one. -
@jrey said in Let's encrypt CA expired:
Wait aren't there 3 certs listed against that expired certificate.
where are you seeing that?
I don't see anything.. I see HAProxy using one under that top R3 that expires in sept 2025
edit.. Oh the 3 there, but they are currently not listed as IN USE.. Maybe he has some old certs too?
-
@jrey Is the PEM certificate that I highlighted in the first screenshot the correct one (Certificate details (self-signed))?
-
Under CA, right ?
You can ditch (expired Letsencrypt CA's) them.
If you want the new ones, as these are from Letsecnrypt, do your shopping here :
Chains of TrustGet the two CAs : ISRG Root X1 (if you are a RSA guy) and ISRG Root X2 if you want to go all ECDSA.
Same thing for the Subordinate (Intermediate) CAs
Get all the E5/E6 and R10/R11.said that : I really guess none of them are really needed to be loaded into the pfSense cert store.
I'll have to test that : wipe them all, then renew a cert with acme.sh. I'm pretty sure everything keeps on working just fine.If things go wrong : yell at me, and get your config backup back in ;)
I still have to do this testRight now, I see this :
as my current certs are based upon :
-
@johnpoz said in Let's encrypt CA expired:
Oh the 3 there, but they are currently not listed as IN USE..
The "3" would be number of "Certificates" that are chained up to that CA
So for example I have a 1 the In Use column is empty on the CA screen and then under Certificates there is 1 that references CA and on that screen the In Use column shows what is using it.
My self signed CA for VPN - the CA shows 2 and under the "Certificates" there are 2 certificates that reference it.
On my CA list the one with a 2 does not have anything in the "In Use" column either.
But on the Certificates pages there are 2 "In use" that reference the above CA
they also both have values "In Use" on that screen
So on the certificates screen he likely has 3 certificates referencing that CA.
We don't know if they are in use or not because we don't see that screen.In fact I have 3 CA (none have an In Use Value) in the certificates column they total 4 and on the Certificates screen there are well 4 certificates - 1 is not in use (field empty) but it still chains up to a CA - the other 3 all have In use values. 2 of those are the VPN.
-
@emc said in Let's encrypt CA expired:
Is the PEM certificate that I highlighted in the first screenshot the correct one (Certificate details (self-signed))?
Yes
make a backup of the config ..
https://letsencrypt.org/certificates/
just need the pem from that line
-
@jrey little reason to back them up to be honest.. So I had 3 acme CAs, I deleted them all, and renewed couple of certs I had.. The CAs auto got added back
-
Interesting - I wonder if is has something to do with:
your first screen capture the CA's are E5 E6 R3
also notice that your R3 shown in the first CA screen capture isn't in the second screen capture - assume that is after you deleted and renewed and you are showing they came back. (the 2 highlighted)
but at the same time the ones that most people are inquiring about with the "problem" are those where on CA the CN = X1 on the authority.
now @Gertjan in his screen capture is showing both X1 X2 R10 and R11
and that X1 is current 2035 expiry
but only the X1 and R10 are chained on that screen. (count 1 each)in my case it is the X1 and R11 the other 2 don't exist.
in the op's case he has an R3 not used, and R10 not used
and an expired X1 and valid R11.So maybe the X1 renewal is the issue. I just did it manually and it's fine. I guess we could experiment more - but it works so ...
-
@jrey its doesn't need cas you don't have off of... My point was just delete them if they are expired.. And CAs that acme needs to renew your certs will just get added back anyway.
