Clusterissuer preferredChain does not choice the ISRG X1 root certificate

[gerardgorrion]

Describe the bug:

We try to issuer new certificates using prefered chain ISRG Root X1, but the new certificates always use DST Root CA X3 instead the new X1. Yml file use in the cluster issuer:

apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: letsencrypt
  namespace: cert-manager
spec:
  acme:
    preferredChain: "ISRG Root X1"
...

Expected behaviour:
We want to test new root CA before 30 of september (finish date of X3 cert supported into cert-manager).

Steps to reproduce the bug:
Install cert-manager v1.4, add clusterissuer with the preferred chain option and deploy new certificate using ingress deploy (using secret value to deploy cert), but all new certificates was deployed with X3 root instead ISRG X1.

Anything else we need to know?:
Current deployment with X3 works fine.

Environment details::

• Kubernetes version: 1.21
• Cloud-provider/provisioner: AWS (EKS)
• cert-manager version: 1.4.0
• Install method: static manifests

/kind bug

[gerardgorrion]

Here the cert root created by clusterissuer with preferedChain configured.

[gerardgorrion]

Chain of Trust

Here can see that R3 can use both root, but ISRG Root X1 is not use in new cert deployments.

When we check the example certificate of let's encrypt:

Example of X1 certificate:
valid-isrgrootx1.letsencrypt.org/

seem like root X1 is not working?

[gerardgorrion]

Some idea? We made some testing cert and all of they register with X3.

[maelvls]

Hi! I am able to get the "short" chain (ISRG only, 2 certificates long) with preferredChain: "ISRG Root X1":

kind: Issuer
spec:
  acme:
    preferredChain: "ISRG Root X1"

I used cert-manager v1.5.3. With certigo, I can see that the only valid chain is the one that stems from ISRG Root X1:

$ certigo connect example.boring.mael-valais-gcp.jetstacker.net

Found 1 valid certificate chain(s):
[0] CN=example.boring.mael-valais-gcp.jetstacker.net
        => CN=R3
        => CN=ISRG Root X1 [self-signed]

I also tested with the default setting (""):

kind: Issuer
spec:
  acme:
    preferredChain: ""

As expected, the signed certificate is returned along with 2 intermediates which give me two valid chains: the old (cross-signed one) and new chain.

$ certigo connect example.foo.mael-valais-gcp.jetstacker.net:443

Found 2 valid certificate chain(s):
[0] CN=example.foo.mael-valais-gcp.jetstacker.net
        => CN=R3
        => CN=ISRG Root X1 [self-signed]
[1] CN=example.foo.mael-valais-gcp.jetstacker.net
        => CN=R3
        => CN=ISRG Root X1
        => CN=DST Root CA X3 [self-signed] [SHA1-RSA]

@jakexks also pointed out that it is possible to experiment with the staging environment if you want to ensure to only get the short chain: https://community.letsencrypt.org/t/staging-doctored-durian-root-ca-x3-is-expired-breaks-test-environment/145689

[rafagsam]

@gerardgorrion
Same problem here...
Using 1.5.3 configuration with ClusterIssuer
@maelvls Did you try using a ClusterIssuer instead of the Issuer? Should it even have a different behaviour?

BTW.... Today is THE day lol

PS.: Past the expiration time, MIRACULOUSLY everything changed without renewing... Not sure what happened!

[maelvls]

@gerardgorrion What kind of application was serving the certificate?

TL;DR: if you are using IIS, the correct chain has automatically switched.

I noticed the same thing with Microsoft IIS. Before the expiry of R3 and DST, IIS would serve an old chain containing the old R3 (signed directly by DST, not by the cross-signed ISRG root).

The moment DST expired, IIS started serving the cross-signed ISRG root.

After some experiments, I realized that IIS (or is it Windows itself??) has some sort of heuristic to choose the correct chain. You can go into the Windows Certificates Manager and disable the unwanted old R3; after rebooting, IIS served the correct chain:

I find it very annoying that you can't specify a specific chain; letting Windows choose the chain to be served is the sort of magic I definitely don't want! After a bit of research, this issue had been surfaced by the Let's Encrypt team in the post Potential problem with R3 intermediates on Windows servers.

[maelvls]

I'll close this issue since the issue most probably went away with the expiration of the old R3 as well as DST Root CA X3.

[agowa]

Nope, it didn't go away. One needs to actively mark the expired root certificate as "disable all purposes for this certificate".

Had this issue today. Even deleting the expired root ca doesn't work. Windows just re-adds it automatically.
Also, note that the chain is shown correctly within cert-manager (mmc) and IIS Manager but it still serves the expired chain.
Check using ssllabs.com or openssl.