Hello! stu.li...@spacehopper.org (Stuart Henderson), 2021.10.02 (Sat) 16:13 (CEST): > On 2021-10-02, Marcus MERIGHI <mcmer-open...@tor.at> wrote: > > benoit-li...@fb12.de (Sebastian Benoit), 2021.09.30 (Thu) 21:42 (CEST): > >> Chris Bennett(cpb_m...@bennettconstruction.us) on 2021.09.30 10:02:17 > >> -0700: > >> > I'm getting that the certs are expired, but https works fine in Firefox, > >> > including when looking at the full chain. > >> > openssl s_client -servername mail.strengthcouragewisdom.rocks -connect > >> > mail.strengthcouragewisdom.rocks:https > >> > >> This is an issue with an expired root/intermediate certificate (DST Root > >> X3) > >> in use by Let's Encrypt. > > I've syspatch(8)-ed a machine that now delivers the following error: > > $ openssl s_client -servername shop.theater-phoenix.at -connect \ > > shop.theater-phoenix.at:https > > Verify return code: 21 (unable to verify the first certificate) > > Does this issue have the same root cause or is this something different? > > Different. They are using the wrong *intermediate* cert (which expired on > *Wednesday*): > > Issuer: O=Digital Signature Trust Co., CN=DST Root CA X3 > Validity > Not Before: Oct 7 19:21:40 2020 GMT > Not After : Sep 29 19:21:40 2021 GMT > Subject: C=US, O=Let's Encrypt, CN=R3 > > Specifically, at present they should be using this instead: > https://letsencrypt.org/certs/lets-encrypt-r3.pem > However it may change in future so they should use the one fetched by > their ACME client (generally this > means using the "fullchain" file) rather than fetching a separate one.
I've nominated you for the "most helpful person around" award. Thanks! Marcus