Hello, looks like invisible-mirror.net stumbled over the recent letsencrypt change <https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/> it sends a chain signed by the expired R3 cert: ametzler@argenau:/tmp/EXIM4$ gnutls-cli invisible-mirror.net Processed 127 CA certificate(s). Resolving 'invisible-mirror.net:443'... Connecting to '160.153.42.69:443'... - Certificate type: X.509 - Got a certificate list of 2 certificates. - Certificate[0] info: - subject `CN=invisible-mirror.net', issuer `CN=R3,O=Let's Encrypt,C=US', serial 0x0361c3003e1413e8655113f8907eeb16e4b4, RSA key 2048 bits, signed using RSA-SHA256, activated `2021-08-01 17:19:48 UTC', expires `2021-10-30 17:19:46 UTC', pin-sha256="LnOGaFwh9ztb+ce0tQdEB/Gx3A0dBPJjYzDn+Sdu+8A=" Public Key ID: sha1:1b7234964165216ed84d88ad8d5f8c836fc01f72 sha256:2e7386685c21f73b5bf9c7b4b5074407f1b1dc0d1d04f2636330e7f9276efbc0 Public Key PIN: pin-sha256:LnOGaFwh9ztb+ce0tQdEB/Gx3A0dBPJjYzDn+Sdu+8A=
- Certificate[1] info: - subject `CN=R3,O=Let's Encrypt,C=US', issuer `CN=DST Root CA X3,O=Digital Signature Trust Co.', serial 0x400175048314a4c8218c84a90c16cddf, RSA key 2048 bits, signed using RSA-SHA256, activated `2020-10-07 19:21:40 UTC', expires `2021-09-29 19:21:40 UTC', pin-sha256="jQJTbIh0grw0/1TkHSumWb+Fs0Ggogr621gT3PvPKG0=" - Status: The certificate is NOT trusted. The certificate chain uses expired certificate. *** PKI verification of server certificate failed... *** Fatal error: Error in the certificate. Net sure why it works in firefox, but it fails with lynx. cu Andreas -- `What a good friend you are to him, Dr. Maturin. His other friends are so grateful to you.' `I sew his ears on from time to time, sure'
