In Progress [CPANEL-33077] Letsencrypt transition to ISRG’s Root (Important!!!!!)

[ciao70]

Hi,


In reference to this notice

Transition to ISRG's Root delayed until Jan 11 2021

[Edit September 2020: I’ve updated the change date in this post to refer to the current plan, to make it easier to find] We’re going to delay the transition to ISRG’s root a little further, to January 11 2021. The patterns of Android adoption have not significantly improved since last year...

community.letsencrypt.org

How will it be managed by cpanel?

Will you continue to use DST Root X3 or will you automatically switch to ISRG Root X1?

If so, what can be done to continue using the current intermediate certificate (DST Root X3) until 30 September 2021?

This is important because devices with an Android version earlier than 7.1 will not recognize the new certificate ISRG Root X1

Thanks

 

[andrew.n]

Probably they will come up something similar as they did with Sectigo recently:

Root CA Certificate Expiration

On May 30, 2020 an intermediary CA certificate used by Sectigo expired causing some older versions of OpenSSL unable to validate the certificate chain. This event reduced compatibility with a wide ...

support.cpanel.net

 

[cPanelLauren]

Someone recently opened an inquiry in response to this thread - CPANEL-33077 - It doesn't have a developer response yet but I'll continue checking it and let you know as soon as there's an update.

 

[ciao70]

Someone recently opened an inquiry in response to this thread - CPANEL-33077 - It doesn't have a developer response yet but I'll continue checking it and let you know as soon as there's an update.

Hello,

is there any news?

Thanks

 

[cPanelLauren]

There's been some investigation done but there is no definitive answer on this as of right now.

 

[ciao70]

Hello,

We’re delaying this transition one more time, to January 11, 2021. As we got closer to the switchover date, we realized we need to do more outreach to our subscribers first, to make sure no one is taken by surprise. To everyone who has already gotten ready for the switch, thank you!

We will still be making a smaller change to our issuing intermediate this fall. We’ll switch to using our just-issued R3 intermediate. However, that intermediate will be cross-signed by IdenTrust (just like our “Let’s Encrypt Authority X3” intermediate is), so compatibility with your site visitors will not change. Your ACME client should automatically download and configure the correct certificate chain with the next issuance after we make the change.

https://community.letsencrypt.org/t/transition-to-isrgs-root-delayed-until-jan-11-2021/125516/3

https://letsencrypt.org/2020/09/17/new-root-and-intermediates.html

https://letsencrypt.org/2019/04/15/transitioning-to-isrg-root.html

 

[ciao70]

Beginning Issuance from R3

In the immediate future (earliest possible: today; latest possible: December 16th) we will begin issuance from our new R3 intermediate. As usual, this will take the form of a phased rollout, beginning with us issuing a few certificates for ourselves, then allowing issuance in staging, then...

community.letsencrypt.org

 

[ciao70]

Questions re: Beginning Issuance from R3

Not sure if makes sense to continue this here or if I should have started a new thread, but I've got a few questions relating to what's in the announcement: In the immediate future (earliest possible: today; latest possible: December 16th) we will begin issuance from our new R3 intermediate...

community.letsencrypt.org

Note regarding transition to R3 intermediate with Firefox or Thunderbird

If anyone finds they are suddenly having trouble with Firefox or Thunderbird connecting to services that use Let's Encrypt certificates, check that your certificate includes the new R3 intermediate in the certificate chain. Thunderbird (for instance) has a copy of the old X3 certificate in it's...

community.letsencrypt.org

Chain of Trust - Let's Encrypt - Free SSL/TLS Certificates

Last updated: Dec 8, 2020

 

[ciao70]

Someone recently opened an inquiry in response to this thread - CPANEL-33077 - It doesn't have a developer response yet but I'll continue checking it and let you know as soon as there's an update.

Hello,

News?

 

[cPRex]

Can you let me know what update you were looking for? Since this has been delayed by Let's Encrypt until January 2021 we haven't taken any action on our end just yet. We have done some testing with this and so far it doesn't appear to cause any problem, except for older Android clients as mentioned here:

Let's Encrypt Root Cert changes affecting Android users

Question Will cPanel AutoSSL's be Transitioning to ISRG's Root such as Let's Encrypt - Free SSL/TLS Certificates? Answer We have been aware of these recent updates, and have begun testing. He...

support.cpanel.net

At this point, there really shouldn't be any issues with this switch as it should just happen without users knowing.

 

[ciao70]

Hello,

Change Log for Plesk Obsidian

Find out about changes, additions and updates to Plesk Obsidian on an iteration to iteration basis.

docs.plesk.com

For example, Plesk has given the possibility with a modification to be able to continue using the old DST Root certificate until 30/09/2021


The extension now supports a new chain of trust based on ISRG Root. Before January 11, 2021, the old IdenTrust root remains the default one, while the new ISRG Root is an alternative one. After January 11, 2021, the extension will issue SSL/TLS certificates based on the new ISRG Root, while the old IdenTrust root will become an alternative one.


To have the extension issue SSL/TLS certificates based on the alternative root (which is ISRG Root before January 11, 2021, and IdenTrust after this date), add the following lines to panel.ini:


[ext-letsencrypt]
use-alternate-root = true



Thanks

 

[cPRex]

I'll ask the developers and find out, although it might be a bit before I hear back.

 

[ciao70]

Hello,

Extending Android Device Compatibility for Let's Encrypt Certificates - Let's Encrypt

Update, May 13, 2021 Please visit [this post] (https://community.letsencrypt.org/t/production-chain-changes/150739) on our community forum for the latest information about chain changes as some information about the changes and dates in this blog post are outdated. We’re happy to announce that...

letsencrypt.org

 

[cPRex]

With the holidays happening I still haven't heard anything on my end. I've messaged the team working on this again for an update, but it still might be a bit.

For my own reference, I'm tracking this with case CPANEL-33077.

 

[Kent Brockman]

Hello guys. Any update? TODAY IS THE DAY and some users issuing certificates via Let's Encrypt has started to see certificate errors.

 

[mtindor]

If I do something like navigate to WHM --> AutoSSL and tell it to run AutoSSL on all users, every user SSL cert returns the following (where "acustomerdomain.com" is something I obsfuscated on purpose but IS a legit domain that should have SSL on it). Actually it is happening on _almost_ every legitimate domain that should have a valid SSL on it. And it has broken email services for those domains ( /cpanel /webmail / dovecot / exim all seem to not have customer-specific SSLs functioning).

https://www.acustomerdomain.com:2083 - cPanel - cert fails and only shows primary hostname cert
https://www.acustomerdomain.com:2096 - Webmail - cert fails and only shows primary hostname cert

Getting reports all over the place from customers who were connecting to mail.acustomerdomain.com over SSL and getting cert warnings (because it's now using only the primary hostname cert)

CL6 ELS + WHM 98 - system OpenSSL 1.0.1e

11:47:48 AM ERROR TLS Status: Defective
Certificate expiry: 12/29/21, 1:25 PM UTC (89.9 days from now)
ERROR Defect: OPENSSL_VERIFY: The certificate chain failed OpenSSL’s verification (0:10:CERT_HAS_EXPIRED).
ERROR Defect: OPENSSL_VERIFY: The certificate chain failed OpenSSL’s verification (1:10:CERT_HAS_EXPIRED).
ERROR Defect: OPENSSL_VERIFY: The certificate chain failed OpenSSL’s verification (2:10:CERT_HAS_EXPIRED).
ERROR Defect: OPENSSL_VERIFY: The certificate chain failed OpenSSL’s verification (3:10:CERT_HAS_EXPIRED).
11:47:48 AM Analyzing “acustomerdomain.com” (website) …
11:47:48 AM ERROR TLS Status: Defective
Certificate expiry: 12/29/21, 1:25 PM UTC (89.9 days from now)
ERROR Defect: OPENSSL_VERIFY: The certificate chain failed OpenSSL’s verification (0:10:CERT_HAS_EXPIRED).
ERROR Defect: OPENSSL_VERIFY: The certificate chain failed OpenSSL’s verification (1:10:CERT_HAS_EXPIRED).
ERROR Defect: OPENSSL_VERIFY: The certificate chain failed OpenSSL’s verification (2:10:CERT_HAS_EXPIRED).
ERROR Defect: OPENSSL_VERIFY: The certificate chain failed OpenSSL’s verification (3:10:CERT_HAS_EXPIRED).

 

[cPRex]

I've reached out to the security team and I'll let you know what I find out!

 

[mtindor]

I'm sure it has something to do with what Kent posted. In addition, is it only a problem for CentOS 6 / RHEL 6 / CL6 ELS servers running OpenSSL 1.0.1e? I'm having this issue now on 1 of my three CL6 ELS + WHM 98 boxes. The other two boxes are not experiencing this (yet). No issues on my CL8 + WHM 98 boxes.

And it seems to be only related to cPanel services and exim/dovecot services. The SSL certificate appear to be functioning without errors/warnings on the Lets Encrypt certs used on the specific customers' websites ( www.acustomerdomain.com ). But I i go to www.acustomerdomain.com/cpanel, www.acustomerdomain.com/webmail , the only cert is available is the one for hte primary hostname and htus a warning is thrown up. Same thing for dovecot (and presumably exim) . Customers who normally connect to mail.acustomerdomain.com over SSL (which has their own Lets encrypt cert tied to it) are now getting certificate mismatch warnings wanting hte customer to trust the SSL certificate of the primary hostname of the server.

 

[spmfox117]

CentOS7 - v98.0.8 - can confirm, this seems to impact all domain emails.

This is basically a huge outage, all customers using emails effectively can't get to their emails anymore. Even if there is an 'ignore' button on their client, they are getting spammed with certificate/email errors.

I don't understand, if this was known for a year why was nothing done to address this before the expiration date?

 

[alexbrett]

Also seeing this on CentOS 7 with v98.0.8. It appears that autossl is failing to validate the certs, so regenerating them, but then still failing the validation in some way so it doesn't put them in to e.g. the Dovecot SNI configuration.

I presume it is somehow using the old certificate chain (back to the expired root) to validate the Lets Encrypt issued certs against, rather than the new chain. I've verified that the "ISRG Root X1" certificate is trusted at a CentOS level, but presumably somehow the wrong chain is being found...