dehydrated seems donot use really X1 ?

[mckaygerhard]

after the issue #808 i try to generate using X1 but i dont know or i dont understand what means that, i xplicid use the CN X1 but the resulting one is R3 :

process i used:

serveruno:/etc/cron.monthly# /usr/bin/dehydrated -x --cron --challenge http-01  --accept-terms --preferred-chain "ISRG Root X1"
# INFO: Using main config file /etc/dehydrated/config
Processing xxxxxxxxx.net with alternative names: mail.xxxxxxxx.net ..
 + Checking domain name(s) of existing cert... unchanged.
 + Checking expire date of existing cert...
 + Valid till Feb 13 16:49:30 2023 GMT (Longer than 30 days). Ignoring because renew was forced!
 + Signing domains...
 + Generating private key...
 + Generating signing request...
 + Requesting new certificate order from CA...
 + Received 8 authorizations URLs from the CA
 + Handling authorization for imap.xxxxxxx.net
 + Found valid authorization for imap.xxxxxxx.net
 + Handling authorization for mail.xxxxxxx.net
 + Found valid authorization for mail.xxxxxxx.net
 + Handling authorization for xxxxxxx.net
 + Found valid authorization for xxxxxxx.net
 + 0 pending challenge(s)
 + Requesting certificate...
 + Using preferred chain with CN = ISRG Root X1
 + Checking certificate...
 + Done!
 + Creating fullchain.pem...
Executing deploy_cert hook /var/lib/dehydrated/hooks.d/joinpem.sh
 + Creating combined.pem (a combined privkey.pem + cert.pem)
 + Removing unused combined certificate file: combined-1668534558.pem
 + Done!

i get sure to changed the cert file :

cp -aLf /var/lib/dehydrated/certs/xxxxxxx.net/combined.pem /etc/ssl/certs/xxxxxxx.net.pem
chown root:www-data /etc/ssl/certs/xxxxxx.net.pem
chmod 640 /etc/ssl/certs/xxxxxx.net.pem
(test -x /etc/init.d/lighttpd && /usr/sbin/service lighttpd restart) || exit 0

then i tested the result but certfiel still marks R3, tested in edge crap so nobody can said is the browser:

[mckaygerhard]

i also checked the console:

also checke the console show still older one Issuer: C = US, O = Let's Encrypt, CN = R3

serveruno:/opt# openssl x509 -in /var/lib/dehydrated/certs/xxxxx.net/fullchain.pem -text -noout
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            03:29:19:d8:ab:cc:b3:00:00:9c:ec:e6:00:90:6d:3c:a3:70
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = US, O = Let's Encrypt, CN = R3
        Validity
            Not Before: Nov 17 15:19:58 2022 GMT
            Not After : Feb 15 15:19:57 2023 GMT
        Subject: CN = xxxxxxx.net
        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
                Public-Key: (384 bit)
                pub:
                    04:22:fc:67:65:6a:0d:a5:bf:d1:1e:83:cd:f4:ea:
                    bc:3d:03:8a:58:ce:a1:36:d5:cd:e1:ee:2f:b7:56:
                    90:ef:67:ab:ce:bc:7b:ae:b2:92:49:e4:a3:9f:d1:
                    d0:ce:bb:8c:30:e1:a1:b0:f8:a6:81:3c:32:f4:7d:
…

[AgentOak]

R3 is the most recent signing certificate used by Let's Encrypt to sign all end-user certificates (along with E1) right now. ISRG Root X1 is the root certificate which in turn signs R3. I recommend you familiarize yourself with the certificate chains: https://letsencrypt.org/certificates/

[mckaygerhard]

thanks @AgentOak i was posting cos in many of my clients reported as untrusted and the only difference i found was the issuer, after a investigatino just minutes before you posted found the same info in the debian changelog.. the ISRG_Root_X1 is present in my linux, linked as lrwxrwxrwx 1 root root 51 oct 3 2020 /etc/ssl/certs/ISRG_Root_X1.pem -> /usr/share/ca-certificates/mozilla/ISRG_Root_X1.crt and R3 is the new ones , i'll close for now..