Letsencrypt Expired Chain Certificate


In running my semi-annual Nessus penetration tests, I’ve discovered that Letsencrypt (certbot) has chosen to leave an expired certificate in their chain in order to support old/outdated devices and browsers. While most modern browsers will ignore the expired certificate without issue, Nessus is not so pleased about the expired certificate in the chain.

I’ve managed to fix this issue across all of my other systems, such as nginx, postfix, courier, etc. The solution is pretty simple. However, I’m not sure how to get SimpleHelp to make use of this feature. Any advice would be greatly appreciated. Here is the solution I’ve got working on my other servers.

certbot renew --preferred-chain=“ISRG Root X1” --force-renew

Also, since I use dns-cloudflare for authentication instead of the http/html access method, I use the following more specific command.

certbot renew --preferred-chain=“ISRG Root X1” --force-renew --dns-cloudflare

The preferred-chain causes the renewal to ignore the expired chain and not include it in the final certificate.

Any ideas on how to make this work for Simple Helps implementation of Letsencrypt/certbot?

I feel so silly. :frowning:

I had upgraded to the latest version before posting this, and I verified that there’s no option to pass “preferred-chain” and assumed I was still having the problem.

Somehow, the certificate got reissued, and it does not contain the expired chain anymore. Sorry to trouble folks. Going to try and re-run my full networks scan, and it will hopefully go well.

And yet. Even more silly. So… This problem still exists.

When I look at the “View Server Keystore Details” from the Administration area, I can see that NONE of the certs in the chain are expired. However, when I actually use openssl or Nessus to scan the site, it indeed finds the expired certificate chain, just as it has before the upgarde.

I’m still look to find someone with a solution to issue the letsencrypt certificate with the preferred-chain parameter.

This is currently an issue with a lot of security products. There are alot of reddit posts and even a blog post by letsencrypt that discuss the issue. You will have to ignore the cert or wait for the product to update its certificate bundle to view the chain properly since the certificate is cross-signed for backwards compatibility with mobile devices.

With a response to my Simple Help ticket, I was able to find some linux commands to manually overwrite the keystore that Simple Help uses.

So, I installed letsencrypt with the automation to renew the certificates properly, using my command line preferred-chain=“ISRG Root X1” listed above. Now all I need to do is write a script to auto-detect when letsencrypt generates a new certificate, and then my script will export/import the new cert into the Simple Help keystore using openssl and/or keytool. :slight_smile:

openssl pkcs12 -export -in /etc/letsencrypt/live/MY_DOMAIN/fullchain.pem -inkey /etc/letsencrypt/live/MY_DOMAIN/privkey.pem -out keystore.p12 -name simplehelp -CAfile /etc/letsencrypt/live/MY_DOMAIN/chain.pem -caname root

Then, upload this .p12 file manually through the SimpleHelp technician Administration area. Once uploaded with your new password, I’m told that in future runs, using the same password, I can just overwrite the existing keystore without having to upload it through the interface.