Error building certificate as PFX - Cannot find issuer

Hey all,

Great product this :slight_smile: I’ve recently had an issue trying to generate a test certificate. Now I’ve read online there was an issue with this on LetsEncrypt and there was scheduled maintenance 2 days ago by LetsEncrypt.
LetsEncrpt Staging Changes & this LetsEncryptStatus Here is my error:

Check system date/time is correct and that the issuing CA is a trusted root CA on this machine (or in custom_ca_certs). :Can not find issuer ‘C=US,O=(STAGING) Internet Security Research Group,CN=(STAGING) Doctored Durian Root CA X3’ for certificate ‘C=US,O=(STAGING) Internet Security Research Group,CN=(STAGING) Pretend Pear X1’. System.Exception: Failed to build certificate as PFX. Check system date/time is correct and that the issuing CA is a trusted root CA on this machine (or in custom_ca_certs). :Can not find issuer ‘C=US,O=(STAGING) Internet Security Research Group,CN=(STAGING) Doctored Durian Root CA X3’ for certificate ‘C=US,O=(STAGING) Internet Security Research Group,CN=(STAGING) Pretend Pear X1’.

  • at Certify.Providers.ACME.Certes.CertesACMEProvider.ExportFullCertPFX(String certFriendlyName, String pwd, IKey csrKey, CertificateChain certificateChain, String certId, String primaryDomainPath) in*

Do you guys know what could be causing this? Please help. I did recently update the app & I’m running version 5.3.1.0 Thanx in advance!

Hi James,

So because of the way that Certify The Web (via it’s ACME library certes) builds the PFX certificate chain we actually need a copy of the root signing certificate for whichever chain you are trying to build. Normally this is either found in the computers trust store (for trusted issuers) or in the past certes has bundled a few embedded certs for things like the LE staging root.

However, very recently Let’s Encrypt introduced a couple of staging chain roots ((STAGING) Pretend Pear X1 and (STAGING) Doctored Durian Root CA X3. This is becuase LE are planning to change their production chain and are experimenting with have a choice between an expired root (which will work on old android versions) and a non-expired root (which won’t). Which if these you need to know about will depend on which chain you are being served by default from the LE staging API. In the current case, this is (STAGING) Doctored Durian Root CA X3 - this will likely change over time.

To get the cert chain to build, you need to provide the missing root and because this is a test cert that shouldn’t be trusted you need to not install it to the trust store, instead you need to get a copy of the root cert and place it into either C:\ProgramData\Certify\custom_ca_certs\der or C:\ProgramData\Certify\custom_ca_certs\pem depending on what format you have it in.

Here is a link to Doctored Durian in DER format: http://stg-r3.i.lencr.org

Thanx for the detailed info and quick response! :grinning: Let me go put that cert there

1 Like