NTS: removed "not implemented" on server ca

Richard Laager rlaager at wiktel.com
Wed Apr 3 01:00:27 UTC 2019

On 4/2/19 5:35 PM, Gary E. Miller via devel wrote:
> Also, still broken for me when the fullchain.pem is in /tmp:

OpenSSL takes root certificates in two ways.

A) You can specify a file, in PEM format, with one or more root

B) You can specify a directory, in which case the certificates must be
named (or more typically, symlinked) with their hash; see `openssl
rehash`. Note that the files processed by `openssl rehash` must have one
certificate per file.

Technically speaking, fullchain.pem from certbot does not contain a root
certificate. It contains the end certificate and an intermediate CA
certificate. That said, adding the intermediate as a trusted root should
still cause validation to pass.

Try something like this:

mkdir /tmp/certs
cp /tmp/fullchain.pem /tmp/certs/
cd /tmp/certs

vi fullchain.pem
# Delete the first cert, (the end certificate) from the
# -----BEGIN CERTIFICATE----- line through the
# ------ END CERTIFICATE----- line, inclusive. This will leave only the
# intermediate certificate.

openssl rehash .

That should give you the following, assuming you have the Let's Encrypt
intermediate that chains up to IdenTrust, which is the certbot default:
$ ls
4f06f81d.0  fullchain.pem

See if that works with "ca=/tmp/certs" in ntp.conf.

On 4/2/19 6:26 PM, Gary E. Miller via devel wrote:
> No.  LE has FIVE root certs.  Maybe you can call it a split root.  And
> you have no way of knowing which one they use for any particular cert.

Technically speaking, Let's Encrypt has one root cert, the ISRG Root X1.

They have multiple intermediates, some of which chain up to a root from
a different CA (IdenTrust), the DST Root CA X3.

This was done to bootstrap Let's Encrypt. By chaining off an existing CA
(IdenTrust), Let's Encrypt certificates were trusted by existing
clients. Then, Let's Encrypt went through the process to get their own
root (the ISRG root) into major clients through their root CA programs.
At some point, when "enough" of the installed base supports the ISRG
root, Let's Encrypt users can switch to requesting certs be issued from
the intermediates chained from ISRG. Eventually Let's Encrypt will no
longer need to rely on IdenTrust.

To use both, concatenate both root certificates (ISRG Root X1 and DST
Root CA X3) into a root ca _file_, or put both certificates (separately)
into a root ca directory and run `openssl rehash`.

> And note the specifically say: "Our roots are kept safely offline."
> So you can't even get the root to check it!

That sentence means they have the root's private key offline for
security reasons. The ISRG root's public certificate is linked from that

You can get DST Root CA X3 here:

or you likely already have it installed, possibly at something like:


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ntpsec.org/pipermail/devel/attachments/20190402/d50ebc45/attachment-0001.bin>

More information about the devel mailing list