Am 13.07.23 um 16:09 schrieb Viktor Dukhovni via Exim-users:
If the issue is observed on the MX host for your domain, note that its
certificate chains up to the already expired "DST Root CA X3":
where do you see an expired cert here? Or did you mean "soon to be
reaching eol" ?
Certificate:
Issuer: O=Digital Signature Trust Co., CN=DST Root CA X3
Not Before: Jan 20 19:14:03 2021 GMT
Not After : Sep 30 18:14:03 2024 GMT
Subject: C=US, O=Internet Security Research Group, CN=ISRG Root X1
While most clients have a local trusted "ISRG Root X1" CA, and
short-circuit the chain at the first locally trusted issuer, some might
not perform the short-circuit lookup (e.g. old OpenSSL versions prior to
1.1.0).
You should reconfigure your Let's Encrypt setup to obtain a chain that's
rooted at the ISRG CA. With certbot, add to the
"renewal/<lineage>.conf" file's "renewalparams" section:
A good hint, we use "Dehydrated" here, have to figure out how to do it here.
--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscr...@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
