On Thu, Feb 03, 2022 at 06:51:09PM +0100, Matus UHLAR - fantomas wrote:
sorry, the third one is not expired:
Issuer: O = Digital Signature Trust Co., CN = DST Root CA X3
Validity
Not Before: Jan 20 19:14:03 2021 GMT
Not After : Sep 30 18:14:03 2024 GMT
Subject: C = US, O = Internet Security Research Group, CN = ISRG Root X1
the root that signs it is expired:
Issuer: O = Digital Signature Trust Co., CN = DST Root CA X3
Validity
Not Before: Sep 30 21:12:19 2000 GMT
Not After : Sep 30 14:01:15 2021 GMT
Subject: O = Digital Signature Trust Co., CN = DST Root CA X3
I was writing from memory.
On 03.02.22 12:55, Viktor Dukhovni wrote:
Yes, most systems (other than ancient Android systems) are expected to
have the ISRG root in place, and prefer it to the cross-cert in the
chain.
Since MTAs (at least on port 25) are not typically serving old Android
phones as clients, one might consider configuring the ACME client to
build a chain anchored at the ISRG root, without the DST cross-cert.
...and it's possible that some clients/checkers complain beause of DST root
being expired (the last intermediate certificate is signed by expired CA)
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Fighting for peace is like fucking for virginity...
