On Tue, May 31, 2022 at 09:55:22PM +0200, Tim Jackson via Exim-users wrote:
> Thanks for the clarification. So the issue is the client verification of the > server cert, not a client cert. Yes, unless I've grossly misread your description of the symptoms. > > The DST Root CA is expired. You can configure LE to build a > > "fullchain.pem" using the ISRG root instead. The only downside is that > > old Android systems may no longer be able to verify your chain. > > OK, so my original theory was right (and, if I understand rightly, this is an > outdated client implementation). Yes. > Is the solution 'certbot --preferred-chain > "ISRG Root X1"' then? (As I mentioned, I currently use acme-tiny rather than > certbot, which unfortunately doesn't seem to support choosing the chain [1], > so I guess I have to switch) Something like that. One way or another avoid the DST root. -- Viktor. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/