Can not find issuer error

RichP · February 12, 2024, 11:01am

Everything was setup on windows and working fine as of a couple of days ago.
This morning got the following error returned in the logs when trying to auto update a cert on a Windows Server integrated into IIS with HTTP authorization:

Can not find issuer 'C=US,O=Internet Security Research Group,CN=ISRG Root X1' for certificate 'C=US,O=Let's Encrypt,CN=R3'. Certes.AcmeException: Can not find issuer 'C=US,O=Internet Security Research Group,CN=ISRG Root X1' for certificate 'C=US,O=Let's Encrypt,CN=R3'.

I dont think I have done anything to break it on my side.

Thanks

webprofusion · February 13, 2024, 6:15am

Let’s Encrypt recently stopped including the “long chain” for their certificates Shortening the Let's Encrypt Chain of Trust - API Announcements - Let's Encrypt Community Support - for most users this isn’t an issue but in your case your server doesn’t know the ISRG Root X1 root certificate and on older versions of the app that means it can’t build the final PFX.

This means your system is not configured to automatically updates it’s list of CA root certificates (either via group policy, registry settings or your firewall blocks windows updates) which was common about 10yrs ago when there was a temporary bug with windows update for CA root certs and some people still have that workaround enabled.

This limitation (requiring a local copy of the CA root cert) was removed about 16 releases back and it’s usually a good idea to keep the software up to date so please upgrade to the latest version and try that out.

DaveL · February 16, 2024, 5:50pm

I am having the same issue on Windows Server 2022. I double-checked and can confirm Windows is updated as of today and that there are no group policies limiting updates to root certs.

I made sure to update Certify the Web to the latest version (6.0.14.0) and tried to issue again, but then I received the error “Error creating new order :: too many certificates (5) already issued for this exact set of domains in the last 168 hours”.

I will try again in 48 hours.

webprofusion · February 17, 2024, 3:13am

@DaveL yes the problem was that old version of the app that didn’t know the newer root certificate would successfully order the cert but then couldn’t build the PFX, so subsequent attempts would count as a duplicate request with the CA. In an emergency you could switch to a different CA or just wait out the rate limit.

For anyone seeing similar issues:

Update to the latest version of app, please also consider if you should be purchasing a license if you have not already especially if you require support.
If you are receiving a rate limit error consider either waiting out the rate limit or change CA: Certificate Authorities | Certify The Web Docs
Make updating Certify The Web part of a bi-annual review, please do not wait years to update the app as Ca services like Let’s Encrypt can and do change regularly.

jljtgr · February 19, 2024, 11:52am

Another way to bypass the rate limit is to change the domains on the certificate. For example, if you have domain.com as your cert… you can request a cert with both domain.com and www.domain.com on a single cert. That’s what the error message means by “this exact set of domains”. If you change the set in any way, it is considered different.