Hi, Camille,
On 2023-09-12 06:18, Camille - Clean Mailbox via mailop wrote:
I think my certificate chain is fine, no trace of DST. It's hiding there in the last certificate in the chain you pasted,
which I also see when I connect: > 2 s:C = US, O = Internet Security
Research Group, CN = ISRG Root X1
> i:O = Digital Signature Trust Co., CN = DST Root CA X3
You're serving Let's Encrypt's "long chain," which includes a copy of
ISRG Root X1 that's cross-signed by the expired DST Root CA X3. Taavi
Eomäe correctly pointed out that clients are supposed to accept this, so
this may not really be the cause of the problem you're seeing - but we
do live in a world with many imperfect clients.
I recommend you first check to make sure you're using an up-to-date
version of Certbot. Then, check your renewal data file in
`/etc/letsencrypt/renewal/clean-mailbox.com.conf`. If there's a line
like `preferred_chain = "DST Root CA X3"`, remove it, then run `certbot
renew --cert-name clean-mailbox.com --force-renewal` (just once, so that
you don't hit Let's Encrypt's rate limits).
_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop
