unable to get certificate CRL - certificate untrusty

[HansCR]

Hello, Im using Crypt-LE on Windows for Kerio Mailserver. Today i made certificate renewal and everything went OK. But when I try to use new certificate, it is marked as "untrusty" with error "unable to get certificate CRL". When i try to use old certificate (still 20 days valid) it works OK. I found this https://community.letsencrypt.org/t/zerossl-and-sslforfree-changes-what-you-need-to-know/126567 Can this be the problem? How to solve this? Thank you

[do-know]

Hi,

This should not be related to the changes of ZeroSSL - ZeroSSL had the web-client, but le64.exe and Crypt-LE are self-sufficient clients and they don't depend on website in any way. What was the command line you have used for renewal, have you used -live flag?

I'm not familiar with Kerio Mail server specifically, but looking at CRL being mentioned I would say it might not be about the certificate itself, but about the root/intermediate certificates it wants for example. Are you sure that those are up to date and in the right places? My understanding is that:

server.crt is placed under // sslcert / intermediate.crt is placed under // sslca / rootca.crt is placed under // sslca /

Those additional certificates can be downloaded from https://letsencrypt.org/certificates/

Additionally, if Kerio actually tries to pull a CRL, it might be a networking problem accessing it. Please check the following document and see if that might help you to pinpoint such issue - https://www.digicert.com/kb/util/utility-test-ocsp-and-crl-access-from-a-server.htm

[HansCR]

Yes, -live is used. The script is the same several month: le64 --key ltsncrpt_acc.key --email "admin@xxxx.cz" --csr out_server.csr --csr-key our_server.key --crt our_server.crt --domains "mail.xxxxx.cz" --generate-missing --unlink --path %WWWDIR%\htdocs\.well-known\acme-challenge --log-config le_conflog.cfg --live --renew 30

Results seems to be good, it really looks like problem with CRL access (dont know why). In Kerio chain of certificates is still the same (old certificate - issued 21.4.20 - works).

Is it possible to try renew new certificate (delete --remove 30) even when the new one (bad) is almost 90 days valid? Or should I try renew the old (still working) certificate?

Thank You

[do-know]

It is certainly possible to generate a new one (you can either adjust -renew value to something like 100 or remove the renew option completely) - as long as you are within "rate limits", it will work. It is interesting though that previous certificate does not trigger an error message for you. You can try to check which CRL URLs you have in the certificates and see if those are really accessible. For example, you can see that on https://letsencrypt.org/certificates/ there are 2 active intermediate certificates present (IdenTrust cross-signed and signed by ISRG Root X1). One points to http://crl.identrust.com/DSTROOTCAX3CRL.crl for CRL, while another points to http://crl.root-x1.letsencrypt.org.

The intermediate is also the second certificate in the resulting crt file - see if those are different in your case between the old and new certificate.

As a last resort, you can also issue a certificate from Buypass instead of Let's Encrypt - see https://github.com/do-know/Crypt-LE#other-certificate-providers-and-custom-acme-servers. In essence you just need to use -server https://api.buypass.com/acme option without -live, and prefereably generate a different account key for Buypass by using something like --key bpass_acc.key.

[HansCR]

Finally helped download certificates (all intermediates and roots) from https://letsencrypt.org/certificates/ and put them in SSLCA directory. Strange is, that old certificates with the same chain of trust works without it and as i found CRL is not used at all, both certificates use newer OCSP. So problem was not in Crypt-LE, sorry to bother you but your answers and links point me to right sollution.

Kudos to you and thank you for your help