Yealink provisioning issues following the expiry of the DST Root CA X3 certificate

Status
Not open for further replies.
hfoster

hfoster

Active Member
Jan 28, 2019
684
81
28
34
Has it given you the correct chain? You can always check https://www.geocerts.com/ssl-checker and see if DST Root CA X3 is still present. (You can also analyse the file directly and convert it to a readable cert using OpenSSL. Unfortunately because the two chains provided by LetsEncrypt are:
  • DST Root CA X3 -> ISRG Root X1 -> R3 LetsEncrypt
  • ISRG Root X1 -> R3 LetsEncrypt
The client has to have the logic to pick the second one. Certbot was busted on this until this year.
 
T

TimGuyUK

Member
Feb 28, 2018
105
3
18
52
hfoster said:
Has it given you the correct chain? You can always check https://www.geocerts.com/ssl-checker and see if DST Root CA X3 is still present. (You can also analyse the file directly and convert it to a readable cert using OpenSSL. Unfortunately because the two chains provided by LetsEncrypt are:
  • DST Root CA X3 -> ISRG Root X1 -> R3 LetsEncrypt
  • ISRG Root X1 -> R3 LetsEncrypt
The client has to have the logic to pick the second one. Certbot was busted on this until this year.
Click to expand...
Great website, I like that, cheers,

Your right the DST Root CA X3 is still at the top of the tree and expired September 30, 2021.

Does that mean that the putting PREFERRED_CHAIN="ISRG Root X1" to the bottom of /etc/dhyrated/config file isnt correct and forcing a certificate update isnt the correct thing to do?

Tim
 
hfoster

hfoster

Active Member
Jan 28, 2019
684
81
28
34
Well, I'd say it is correct method, the issues on the dehydrated github page seem to agree too:

github.com

support alternate chains offered by the ACME · Issue #842 · dehydrated-io/dehydrated

https://community.letsencrypt.org/t/openssl-client-compatibility-changes-for-let-s-encrypt-certificates/143816 How to support older OpenSSL versions If you need to support affected OpenSSL versions...
github.com github.com

There is also in that issue:

I should just add that on older openssl (eg, el6, el7), the selection of the correct chain should be done like that

PREFERRED_CHAIN="issuer= /C=US/O=Internet Security Research Group/CN=ISRG Root X1"
Click to expand...

I can't really confirm this though, as I just use Certbot to keep uniformity throughout my network.
 
M

markjcrane

Active Member
Staff member
Jul 22, 2018
499
177
43
49
In order for preferred chain to work you have to update your version of dehydrated. So that running

dehydrated -h

Needs to show the following in the results of the command above.

--preferred-chain issuer-cn

If its not then the letsencrypt.sh script will now upgrade dehydrated for you and then it will make the new certificate.

cd /usr/src/fusionpbx-install.sh
git pull
./letsencrypt.sh

The preferred-chain is now part of the script.
 
Last edited:
  • Like
Reactions: Adrian Fretwell
Status
Not open for further replies.
Top Bottom