New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
security/acme-client: Lets Encrypt certificates are provided by obsolete DST Root CA X3 #2550
Comments
@cedvan Maybe I'm missing something here? As far as I'm aware, Let's Encrypt added a new cross-signed CA which should work beyond 30.09.2021:
I've manually renewed one of my certificates and the two parts of the chain seem to confirm that it's using the new cross-signed CA:
And viewing the resulting cert chain in Firefox 92 it seems that it already prefers the X1 route over the expiring X3. However, I can confirm that Chrome still shows the the same output that you've posted in the screenshot. Yes, there is an alternative chain available: Does this make sense to you? Is there something wrong with this explanation? |
Hum, On my servers without
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.haxx.se/docs/sslcerts.html
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above. My servers have |
@cedvan Which service uses the certificate, is it the OPNsense WebUI or something else? |
I use certificates with HAProxy frontend |
@cedvan Can you verify the chain by using openssl on the CLI?
|
|
I have latest version to opnsense and all plugins. My certificate regenerated today, but no presence to |
Maybe need recreate new account or recreate new certificate to get good CA hierarchy ? |
@cedvan Let's check one more thing:
|
Issuer to all generated certificates with acme client is |
OK, so the real problem is that os-acme-client failed to import the cross-signed R3 CA certificate and as a result applications such as the WebUI and HAProxy will only present the expiring R3 CA certificate to clients. I'll look into this. |
Ok, I look forward to your feedback and a solution :) |
sorry, what https://www.ssllabs.com/ssltest/index.html tells about cert path? |
@kulikov-a Yes of course But ACME client generate certificates with old |
This bug is quite urgent, because some applications will become unreachable after September 2021 (rest only 2 Days) |
not quite so (ACME client does not generate certificate) |
I've found the bug, give me some minutes to test the fix :) |
@fraenki ok, thanks!) |
OK, here we go. The following patches for OPNsense 21.7.3 should fix the bug:
Besides fixing the underlying bug in the cert/CA import logic, it also adds a new "import" button to I could only test it on my test server, so make a configuration backup before applying/testing this bugfix. In my case it fixes the bug, the example shows the ouput when using the certificate for the OPNsense WebUI:
|
(The width of the "commands" column had to be changed after adding the new button, this is fixed in 774374a.) |
Ok super! Thank you :) So just I execute And regenerate my cert and finally restart haproxy? |
You don't need to regenerate your certificates, just use the new "import" button:
|
@fraenki Sorry, one more question: are you planning to add the option to select the preferred chain (https://github.com/acmesh-official/acme.sh/wiki/Preferred-Chain)? |
I'm still undecided. Adding a text input field is really error prone: a minor typo and it breaks. But adding a dropdown list of possible values puts the maintenance burden on me. Not sure which route to choose. |
got it, thanks! (will be glad to any option. a text input with a link to the wiki is quite convenient imho) |
I test patch, but not working :/. My step :
|
Ok, I regenerate my cert and restart HAProxy works now !!! |
Thank you 🙏 |
Any plans to release an official OPNSense patch for this or is manual patching like described by @cedvan above the way to go? |
Can we wait for this to be merged to any sort of branch in the project before we talk release timelines? |
@hny-gd Just delete the old CA in Authorities, reissue all LE certs and link them again in the Services (HAProxy, Postfix etc.). Last step is important! |
Thanks a lot, @mimugmail, that indeed is the way to go. |
Important notices
[x] I have read the contributing guide lines at https://github.com/opnsense/plugins/blob/master/CONTRIBUTING.md
[x] I have searched the existing issues and I'm convinced that mine is new.
[x] When the request is meant for an existing plugin, I've added its name to the title.
Is your feature request related to a problem? Please describe.
Lets Encrypt certificates are provided by DST Root CA X3 in acme plugin. But this root CA is deprecated and expire in september 2021 (https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/)
Describe the solution you'd like
Use new root certificate ISRG Root X1 is a new way. How use it with acme plugin ?
The text was updated successfully, but these errors were encountered: