On Thu, Feb 03, 2022 at 06:51:09PM +0100, Matus UHLAR - fantomas wrote: > sorry, the third one is not expired: > > Issuer: O = Digital Signature Trust Co., CN = DST Root CA X3 > Validity > Not Before: Jan 20 19:14:03 2021 GMT > Not After : Sep 30 18:14:03 2024 GMT > Subject: C = US, O = Internet Security Research Group, CN = ISRG Root > X1 > > the root that signs it is expired: > > Issuer: O = Digital Signature Trust Co., CN = DST Root CA X3 > Validity > Not Before: Sep 30 21:12:19 2000 GMT > Not After : Sep 30 14:01:15 2021 GMT > Subject: O = Digital Signature Trust Co., CN = DST Root CA X3 > > I was writing from memory.
Yes, most systems (other than ancient Android systems) are expected to have the ISRG root in place, and prefer it to the cross-cert in the chain. Since MTAs (at least on port 25) are not typically serving old Android phones as clients, one might consider configuring the ACME client to build a chain anchored at the ISRG root, without the DST cross-cert. -- Viktor.