letsencrypt-siteextension
letsencrypt-siteextension copied to clipboard
sjkp
Safari, Firefox, Android device: Certificate not trusted because the issuer certificate is unknown
It may help to read this thread, they said I should alert you
https://community.letsencrypt.org/t/the-certificate-is-not-trusted-because-the-issuer-certificate-is-unknown/81252
I followed the directions from this video: https://www.youtube.com/watch?v=2PKs8qLwMs0 I ran this report: https://www.ssllabs.com/ssltest/analyze.html?d=budgetdreamer.com
On chrome my app worked, on IE it worked also. I then tried it on my Android Device using Chrome 71.0.3578.99 Android 6.0.1 and it said my site was not secure, I tried it on firefox and it said I was not secure, but I then upgraded firefox and it worked...
IN THE THREAD from the COMMUNITY someone wrote this: It’s also weird that it is using the ISRG intermediate at all.
**I checked the linked Azure Site Extension, and it should be taking the issuer from the CA (https://acme-v01.api.letsencrypt.org/acme/issuer-cert). And that issuer, as of today, is still the Identrust/DST one:
Issuer: O = Digital Signature Trust Co., CN = DST Root CA X3 If I were you, I’d probably report thi**s weirdness to the site extension author. I can’t see any way (from the video) that this could happen by accident.
Thanks for reporting, I will have a look at what have changed. The site-extension normally uses the intermediate certificate that have the "DST Root CA X3 root certificate and not the ISRG Root X1 that i can see was used in for your certificate. Which version of the extension are you using?
My Version
Azure Let's Encrypt Version 0.8.8 By SJKP Site extension for easy install and renewals of Let's Encrypt SSL certificates. The extension uses web jobs, so ensure that you have web job
@maccurt I just renewed a few of my own sites manually yesterday to see if I could reproduce the error. Unfortunately I cant. Have you tried to do the same?
I need to release a version with more debugging turned on, to properly investigate what goes wrong. When the response comes back from Lets Encrypt (LE) with the certificate it contains a list of links to the intermediate certificates that LE uses, right now the extension just takes the first certificate from that list and bundles that with the certificate that you requested. Normally that is the intermediate certificate for the DST root. But it seems that for some reason when you request your certificate the first certificate returned by Lets Encrypt was that for the ISRG root (at least this is the only explanation that I can come up with to the behavior you are experiencing). The reason for this sudden change in behavior could be because Lets Encrypt had changed something on their end, when you requested your certificate which they have since rolled back, or it could be that I should never have relied on the order of the intermediates returned by Lets Encrypt, in which case I need to change the site-extension.
If you can do one thing for me before trying to renew the certificate then please look in D:\home\SiteExtensions\letsencrypt\config\httpsacme-v01.api.letsencrypt.org (using the kudu tool) there should be a file ca-<SOMENUMBERS>-crt.der please paste the name of that file here. That file is the intermediate files that was used last, you can also open it and read the issuer name (just open it in a text editor, like the one in the kudu site, it is a binary file but the issuer name is in there). Mine is named:
ca-0A0141420000015385736A0B85ECA708-crt.der and contains Digital Signature Trust DST Root CA X3
Hmm, looks like we can rule out that LE changed something, looked up some certificates issued around the same time as yours they all uses DST Root.
Yes, I will try those things. I will get back to you as soon as I have sat down in the lab, to try it. I really appreciate your concern about it and looking into it. I thank you sir.. I assume I did have the right version and there was not a newer version?
Your wrote: If you can do one thing for me before trying to renew the certificate then please look in D:\home\SiteExtensions\letsencrypt\config\httpsacme-v01.api.letsencrypt.org (using the kudu tool) there should be a file ca-<SOMENUMBERS>-crt.der please paste the name of that file here.
I see
12/26/2018 01:43 PM 1,174 ca-0A0141420000015385736A0B85ECA708-crt.der
I also opened this file in Notepad++ and it says Digital Signature Trust Co.10UDST Root CA X30 Let's Encrypt1#0!ULet's Encrypt Authority X30‚"0
Okay now that is strange. You have the same setup as I do, on my websites that uses the other intermediate. I don't have any immediate ideas to what could be different with your setup, but I will try to do some digging as part of the next release.
I don't know why this happen for you, can you try to request a new certificate?
I also have the same issue as maccurt. I originally installed the extension on 1/12/19 but I am currently running version 0.9.3. Requesting a new certificate does not fix the issue. I also tried requesting a new certificate on a domain that did not previously have a SSL certificate and got the same results.
The web app was created 3-4 years ago on US-East2. Not sure if that could possibly be part of the issue.
@kevin2078 I will try on US-East2 and see if it changes anything, it could be a issue with the web app servers that you are using. But really hard to tell without being able to reproduce to see what's going on.
I'am having the same issue, was using letsencrypt-webapp-renewer webjob before but that doesn't support run from package so I switched to the extension. All my websites give Privacy warnings in chrome.
The certificate issuer is Fake LE Intermediate X1
@tdesmet did you use the Lets Encrypt staging environment? Sounds like that, when you get a certificate issued by Fake LE.
ugh, yes I missed the letsencrypt:AcmeBaseUri setting, didn't notice the default was staging, thanks
Hi, unfortunately I have the same problem and can not continue. Only Fake LE Intermediate X1 certificates will be created
I've changed the value for letsencrypt: AcmeBaseUri to "https://acme-v01.api.letsencrypt.org/" and to "https://acme-v02.api.letsencrypt.org/" but unfortunately I did not succeed.
Azure EU-West
