Hi James,
I'm using certbot 2.1.0 (provided with Debian 12). I don't have anything
like this in my renewal configuration file:
[renewalparams]
account = [my ID]
authenticator = dns-cloudflare
dns_cloudflare_propagation_seconds = 30
dns_cloudflare_credentials = /etc/letsencrypt/cloudflare-clean-mailbox.ini
server = https://acme-v02.api.letsencrypt.org/directory
key_type = ecdsa
I'm not sure how I can get rid of this DST Root CA X3.
Best regards,
Camille
Le 12/09/2023 à 08:42, James Renken via mailop a écrit :
Hi, Camille,
On 2023-09-12 06:18, Camille - Clean Mailbox via mailop wrote:
I think my certificate chain is fine, no trace of DST. It's hiding
there in the last certificate in the chain you pasted,
which I also see when I connect: > 2 s:C = US, O = Internet Security
Research Group, CN = ISRG Root X1
> i:O = Digital Signature Trust Co., CN = DST Root CA X3
You're serving Let's Encrypt's "long chain," which includes a copy of
ISRG Root X1 that's cross-signed by the expired DST Root CA X3. Taavi
Eomäe correctly pointed out that clients are supposed to accept this,
so this may not really be the cause of the problem you're seeing - but
we do live in a world with many imperfect clients.
I recommend you first check to make sure you're using an up-to-date
version of Certbot. Then, check your renewal data file in
`/etc/letsencrypt/renewal/clean-mailbox.com.conf`. If there's a line
like `preferred_chain = "DST Root CA X3"`, remove it, then run
`certbot renew --cert-name clean-mailbox.com --force-renewal` (just
once, so that you don't hit Let's Encrypt's rate limits).
_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop
_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop
