Need to add Let's Encrypt Intermediate

Question

Need to add Let's Encrypt Intermediate

andyzib opened this issue 3 years ago · comments

Need to add Let's Encrypt Intermediate to prtg.cert or SSL Labs will cap grade at B, some devices like iOS may be forced to download the intermediate and get an out of date cert. Just add ISRG Root X1 https://letsencrypt.org/certificates/ (PEM format) to prtg.crt first, then add the actual cert.

Andrew Zbikowski · Answer 1 · Tue Oct 05 2021 18:45:20 GMT+0800 (China Standard Time)

It's been awhile, Intermediate CA is written to root.pem but seems the PRTG webserver doesn't provide the chain to clients.

Andrew Zbikowski · Answer 2 · Tue Oct 05 2021 23:15:42 GMT+0800 (China Standard Time)

Used Paessler Certificate Importer to verify what PRTG wants in root.pem.

prtg.key - Private Key
prtg.crt - Public Cert for PRTG
root.pem

prtg.crt first
subject=C = US, O = Let's Encrypt, CN = R3, issuer=C = US, O = Internet Security Research Group, CN = ISRG Root X1
subject=C = US, O = Internet Security Research Group, CN = ISRG Root X1. issuer=C = US, O = Internet Security Research Group, CN = ISRG Root X1

Will update script to produce the same results as Paessler Certificate Importer.

Andrew Zbikowski · Answer 3 · Tue Oct 05 2021 23:33:18 GMT+0800 (China Standard Time)

SSLLabs will throw a Chain issues: Contains anchor when Paessler Certificate Importer is used. Removing ISRG Root X1 from root.pem resolves this, and is the proper way. Will update script accordingly. PRTG is happy with this arrangement.