Certificate Generation/Validation is failing From June 2024

[nreddipalle]

Please provide some information about your script:

• Where should it run (On-Prem, Azure, Windows, Linux, Full / Desktop)?
• Windows PowerShell (Azure Functions)
• Which Version are you running (make sure to use the latest)
• So far, using 1.5.0 but also tried with latest version.
• What is your level of PowerShell expertise?
• Good.

We are generating LetsEncrypt Certs so far without issues using Azure Function and importing into Azure KeyVault. But the function stops working from June 2024 which I assume seems to be due to this https://letsencrypt.org/certificates/

This is our code:

We generate the cert:

   # As soon as the url shows up we can create the PFX
    Export-ACMECertificate -State $acmeStateDir `
        -Order $order `
        -Path $certExportPath `
        -Password $securePassword `
        -UseAlternateChain

We split the Cert into Key and CRT due to this Error:

##"Correcting Certificate Order Due to a bug in LetsEncrypt Cert with InCorrect Order"
##There is a issue in roadmap to be fixed with AzureKeyVault so that it always keeps the order in the certifcate correct even if the  certificate is uploaded in the wrong order. 
## But Until then we wil mannually correct the order
## https://github.com/Azure/azure-rest-api-specs/issues/10637

&"${ModulePath}\openssl-1.1.1l\x64\bin\openssl.exe" pkcs12 -in "$certExportPath" -nocerts -out "${certExportPath}.key" -passin pass:$CERT_PASS -passout pass:$CERT_PASS
&"${ModulePath}\openssl-1.1.1l\x64\bin\openssl.exe" pkcs12 -in "$certExportPath" -clcerts -nokeys -out "${certExportPath}.crt" -passin pass:$CERT_PASS

##We download the Root and Intermediate CERTS manually

(New-Object System.Net.WebClient).DownloadFile("https://letsencrypt.org/certs/isrgrootx1.pem", "$acmeStateDir\Certificates\isrgrootx1.pem") ## ROOT CA
(New-Object System.Net.WebClient).DownloadFile("https://letsencrypt.org/certs/lets-encrypt-r3.pem", "$acmeStateDir\Certificates\lets-encrypt-r3.pem") ## INTERMEDIATE CA

Get-Content "$acmeStateDir\Certificates\isrgrootx1.pem" >> "$acmeStateDir\Certificates\ca.crt" ## ROOT CA
Get-Content "$acmeStateDir\Certificates\r10.pem" > "$acmeStateDir\Certificates\ca.crt" ## INTERMEDIATE CA

Get-Content "$acmeStateDir\Certificates\ca.crt"

##Rebuild pfx
&"${ModulePath}\openssl-1.1.1l\x64\bin\openssl.exe" pkcs12 -export -out "${certExportPath}.rebuilt.pfx" -inkey "${certExportPath}.key" -in "${certExportPath}.crt" -certfile "$acmeStateDir\Certificates\ca.crt" -passin pass:$CERT_PASS -passout pass:$CERT_PASS

when trying to test this rebuild pfx:

&"${ModulePath}\openssl-1.1.1l\x64\bin\openssl.exe" pkcs12 -nodes -in "${certExportPath}" -out "${certExportPath}.crt" -passin pass:$CERT_PASS

$Attime = (New-TimeSpan -Start (Get-Date "01/01/1970") -End (Get-Date).AddDays(+60)).TotalSeconds ## Checking with -attime 6 months in advance so that we know 6 months before if any certificate in the chain is expiring within 6 months
$Attime = ($Attime -Split("\."))[0].Trim() #Ignore MilliSeconds

&"${ModulePath}\openssl-1.1.1l\x64\bin\openssl.exe" verify -attime $Attime -x509_strict -CAfile "$acmeStateDir\Certificates\ca.crt" -verbose "${certExportPath}.crt"

I get this Error

error 20 at 0 depth lookup: unable to get local issuer certificate

I also tried with new Intermediate CERTS to no luck

(New-Object System.Net.WebClient).DownloadFile("https://letsencrypt.org/certs/isrgrootx1.pem", "$acmeStateDir\Certificates\isrgrootx1.pem") ## ROOT CA (New-Object System.Net.WebClient).DownloadFile("https://letsencrypt.org/certs/2024/r10.pem", "$acmeStateDir\Certificates\r10.pem") ## INTERMEDIATE CA

Am I missing anything? Please suggest. Thanks.,

[glatzert]

Where exactly does the error occur? The message seems to be openssl related?

[nreddipalle]

Error happening at last step &"${ModulePath}\openssl-1.1.1l\x64\bin\openssl.exe" verify -attime $Attime -x509_strict -CAfile "$acmeStateDir\Certificates\ca.crt" -verbose "${certExportPath}.crt"

Is there a way to append RootCA and Intermediate CA directly during Issue Certificate/Export operation instead of doing it later.. I am still using 1.5.0 version of ACME.. wondering if any recent versions started supporting above?? Thanks for your response.