On 2/3/22 15:42, Matus UHLAR - fantomas wrote:
it might be this:
% openssl s_client -connect darwin.bork.org:25 -starttls smtp
CONNECTED(00000003)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = darwin.bork.org
verify return:1
---
Certificate chain
0 s:CN = darwin.bork.org
i:C = US, O = Let's Encrypt, CN = R3
1 s:C = US, O = Let's Encrypt, CN = R3
i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1
i:O = Digital Signature Trust Co., CN = DST Root CA X3
the third certificate is expired, but the second one is already trusted by
root CA, so the third should not be evaluated.
See:
https://letsencrypt.org/2021/10/01/cert-chaining-help.html
With the workarounds at:
https://www.openssl.org/blog/blog/2021/09/13/LetsEncryptRootCertExpire/
Best,
Patrick
