On Thu, Feb 03, 2022 at 07:27:30PM +0100, Matus UHLAR - fantomas wrote: > > On Thu, Feb 03, 2022 at 06:51:09PM +0100, Matus UHLAR - fantomas wrote: > > > sorry, the third one is not expired: > > > > > > Issuer: O = Digital Signature Trust Co., CN = DST Root CA X3 > > > Validity > > > Not Before: Jan 20 19:14:03 2021 GMT > > > Not After : Sep 30 18:14:03 2024 GMT > > > Subject: C = US, O = Internet Security Research Group, CN = ISRG > > > Root X1 > > > > > > the root that signs it is expired: > > > > > > Issuer: O = Digital Signature Trust Co., CN = DST Root CA X3 > > > Validity > > > Not Before: Sep 30 21:12:19 2000 GMT > > > Not After : Sep 30 14:01:15 2021 GMT > > > Subject: O = Digital Signature Trust Co., CN = DST Root CA X3 > > > > > > I was writing from memory. > > On 03.02.22 12:55, Viktor Dukhovni wrote: > > Yes, most systems (other than ancient Android systems) are expected to > > have the ISRG root in place, and prefer it to the cross-cert in the > > chain. > > > > Since MTAs (at least on port 25) are not typically serving old Android > > phones as clients, one might consider configuring the ACME client to > > build a chain anchored at the ISRG root, without the DST cross-cert. > > ...and it's possible that some clients/checkers complain beause of DST root > being expired (the last intermediate certificate is signed by expired CA)
Based on the discussions, I suspect this is what is happening - The aircanada smtp servers are rejecting my Let's Encrypt certificate due to the expired cross signature from DST Root CA X3, which expired in September, on the ISRG Root X1 CA. On a Debian 10 machine I could reproduce this validation failure, even despite having openssl 1.1.1d, until I removed DST Root CA X3 from the system ca-certificates. The only configuration change I made in response to this discussion was to disable smtpd_tls_ask_ccert - I'm not sure why this was ever enabled. I'll update in a week or two when I see another e-mail from aircanada. Thanks, mh -- Martin Hicks P.Eng. | m...@bork.org Bork Consulting Inc. | +1 (613) 266-2296
