--preferred-chain doesn't work as expected

[raven-kg]

I tried to use --preferred-chain option to obtain ISRG signed certificates

acme.sh --issue -d raven5._.su --preferred-chain "ISRG Root X1" -w /usr/share/nginx/html/

And I always got the certificate signed with IdenTrust CA:

openssl x509 -in /etc/pki/letsencrypt/raven5._.su/ca.cer -text -noout 
...
        Issuer: O=Digital Signature Trust Co., CN=DST Root CA X3

Of course, I got files signed with ISRG CA but they are saved with '.alt' suffix and doesn't work in my configuration:

ls /etc/pki/letsencrypt/raven5._.su
ca.cer      fullchain.cer      raven5._.su.cer      raven5._.su.conf  raven5._.su.csr.conf
ca.cer.alt  fullchain.cer.alt  raven5._.su.cer.alt  raven5._.su.csr   raven5._.su.key

the config file contains following:

grep 'Le_Preferred_Chain' /etc/pki/letsencrypt/raven5._.su/raven5._.su.conf
Le_Preferred_Chain='__ACME_BASE64__START_SVNSRyBSb290IFgx__ACME_BASE64__END_'

Is there a way to store files issued with ISRG CA without adding '.alt' to filenames?

[Neilpang]

It woks as expected here:

openssl x509 -in ca.cer  -text -noout 

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            d3:b1:72:26:34:23:32:dc:f4:05:28:51:2a:ec:9c:6a
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = US, O = Internet Security Research Group, CN = ISRG Root X1
        Validity
            Not Before: Oct  6 15:43:55 2016 GMT
            Not After : Oct  6 15:43:55 2021 GMT
        Subject: C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3

Can you please upgrade to the latest version first?

acme.sh --upgrade

And give the log with --debug 2 ?

[raven-kg]

I already updated acme.sh before using --preferred-chain.

acme.sh --upgrade
[Fri Nov 13 03:14:51 UTC 2020] Already uptodate!
[Fri Nov 13 03:14:51 UTC 2020] Upgrade success!

And here is debug 2 output
https://pastebin.com/yiG2mX6v (expires after a week)

[nekocentral]

I would also like to join in this bug report to avoid duplicate issue's

Just updated my acme.sh and added --preferred-chain "ISRG" as by docs.
All my websites are still on the dst root instead of the IGRS

Commands used:
issue:acme.sh --issue --dns dns_cf -d haazen.xyz -d *.haazen.xyz -d *.home.haazen.xyz --preferred-chain "ISRG" --force
deploy: acme.sh --install-cert -d haazen.xyz --cert-file /opt/ssl/haazen.xyz/cert.pem --key-file /opt/ssl/haazen.xyz/key.pem --fullchain-file /opt/ssl/haazen.xyz/fullchain.pem --ca-file /opt/ssl/haazen.xyz/ca.pem --reloadcmd "service nginx restart"

Edit2:
It seems that the Fullchain is signed with ISRG, but the Cert only is only signed by dst

[Neilpang]

@raven-kg Yes, I confirmed this is a bug from your log.

Can you please let me know your os version and openssl version ?

Thanks.

[lukecyca]

I am experiencing the same behaviour using acme.sh via letsencrypt-nginx-proxy-companion which we are tracking in this issue.

/app # openssl version
OpenSSL 1.1.1g  21 Apr 2020
/app # cat /etc/os-release 
NAME="Alpine Linux"
ID=alpine
VERSION_ID=3.12.1
PRETTY_NAME="Alpine Linux v3.12"

[raven-kg]

@Neilpang it's CentOS 7, openssl 1.0.2k.
I can also check this using few other OS-es, with different openssl/libressl versions if it would be useful

[Neilpang]

@lukecyca

I can not reproduce it here:

~ # openssl version
OpenSSL 1.1.1g  21 Apr 2020
~ # cat /etc/os-release 
NAME="Alpine Linux"
ID=alpine
VERSION_ID=3.12.1
PRETTY_NAME="Alpine Linux v3.12"
HOME_URL="https://alpinelinux.org/"
BUG_REPORT_URL="https://bugs.alpinelinux.org/"

[Neilpang]

@raven-kg
I reproduced it with centos 7.

Thanks.

[Neilpang]

fixed.
please try again with the latest dev branch.

acme.sh --upgrade -b dev

[raven-kg]

@Neilpang now it works. Thanks for fixing it!