Yealink provisioning issues following the expiry of the DST Root CA X3 certificate

Status
Not open for further replies.

hfoster

Active Member
Jan 28, 2019
674
80
28
34
Has it given you the correct chain? You can always check https://www.geocerts.com/ssl-checker and see if DST Root CA X3 is still present. (You can also analyse the file directly and convert it to a readable cert using OpenSSL. Unfortunately because the two chains provided by LetsEncrypt are:
  • DST Root CA X3 -> ISRG Root X1 -> R3 LetsEncrypt
  • ISRG Root X1 -> R3 LetsEncrypt
The client has to have the logic to pick the second one. Certbot was busted on this until this year.
 

TimGuyUK

Member
Feb 28, 2018
105
2
18
51
Has it given you the correct chain? You can always check https://www.geocerts.com/ssl-checker and see if DST Root CA X3 is still present. (You can also analyse the file directly and convert it to a readable cert using OpenSSL. Unfortunately because the two chains provided by LetsEncrypt are:
  • DST Root CA X3 -> ISRG Root X1 -> R3 LetsEncrypt
  • ISRG Root X1 -> R3 LetsEncrypt
The client has to have the logic to pick the second one. Certbot was busted on this until this year.
Great website, I like that, cheers,

Your right the DST Root CA X3 is still at the top of the tree and expired September 30, 2021.

Does that mean that the putting PREFERRED_CHAIN="ISRG Root X1" to the bottom of /etc/dhyrated/config file isnt correct and forcing a certificate update isnt the correct thing to do?

Tim
 

hfoster

Active Member
Jan 28, 2019
674
80
28
34
Well, I'd say it is correct method, the issues on the dehydrated github page seem to agree too:


There is also in that issue:

I should just add that on older openssl (eg, el6, el7), the selection of the correct chain should be done like that

PREFERRED_CHAIN="issuer= /C=US/O=Internet Security Research Group/CN=ISRG Root X1"

I can't really confirm this though, as I just use Certbot to keep uniformity throughout my network.
 

markjcrane

Active Member
Staff member
Jul 22, 2018
447
162
43
49
In order for preferred chain to work you have to update your version of dehydrated. So that running

dehydrated -h

Needs to show the following in the results of the command above.

--preferred-chain issuer-cn

If its not then the letsencrypt.sh script will now upgrade dehydrated for you and then it will make the new certificate.

cd /usr/src/fusionpbx-install.sh
git pull
./letsencrypt.sh

The preferred-chain is now part of the script.
 
Last edited:
  • Like
Reactions: Adrian Fretwell
Status
Not open for further replies.