Certificate X509v3 extension problems

I using certifythe web since a while for generating and update a certificate for the web site and for IceCast server.
The PEM certificate is not longer accepted by IceCast.
So I used openssl to review the pem file and found some critical issues:

        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage:
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 Basic Constraints: critical
            X509v3 Subject Key Identifier:
            X509v3 Authority Key Identifier:
            Authority Information Access:
                OCSP - URI:http://r3.o.lencr.org
                CA Issuers - URI:http://r3.i.lencr.org/
            X509v3 Subject Alternative Name:
                DNS:country-radio.eu, DNS:www.country-radio.eu
            X509v3 Certificate Policies:

What could be the problem and what has change in the software?

A “critical” extension is one that the CA sets to indicate how the certificate can be used. I’d be surprised if this has changed between version as it’s up the CA what this should be.

You need to find out exactly what the error from IceCast is but I expect it’s one of:

  • The default key type changed from RSA 2048 to ECDSA 256, you can set this under Settings back to RSA 2048 and request your certificate again
  • We no longer use Let’s Encrypts legacy DST Root CA X3 chain by default, they are retiring this fairly soon. The impact can be an untrusted certificate if your CA certificate trust store is very outdated.
  • We no longer export the root CA certificate as part of some of the deployment tasks such as Deploy to Apache and Deploy to Generic Server, it’s unlikely you were relying on that but it could have an impact.

It’s probably the key type (the first one).