On Thu, Feb 03, 2022 at 06:51:09PM +0100, Matus UHLAR - fantomas wrote:
> sorry, the third one is not expired:
>
> Issuer: O = Digital Signature Trust Co., CN = DST Root CA X3
> Validity
> Not Before: Jan 20 19:14:03 2021 GMT
> Not After : Sep 30 18:14:03 2024 GMT
> Subject: C = US, O = Internet Security Research Group, CN = ISRG Root
> X1
>
> the root that signs it is expired:
>
> Issuer: O = Digital Signature Trust Co., CN = DST Root CA X3
> Validity
> Not Before: Sep 30 21:12:19 2000 GMT
> Not After : Sep 30 14:01:15 2021 GMT
> Subject: O = Digital Signature Trust Co., CN = DST Root CA X3
>
> I was writing from memory.
Yes, most systems (other than ancient Android systems) are expected to
have the ISRG root in place, and prefer it to the cross-cert in the
chain.
Since MTAs (at least on port 25) are not typically serving old Android
phones as clients, one might consider configuring the ACME client to
build a chain anchored at the ISRG root, without the DST cross-cert.
--
Viktor.
