LE/DST expired root: workaround #2

Felipe Gasper felipe at felipegasper.com
Fri Oct 1 01:28:17 UTC 2021



^^ This document indicates that, by enabling trusted-first mode, I should be able to work around the LE expiration problem.

I’m either misunderstanding this or “holding it wrong”, though, because I can’t see that setup making any difference.

I’ve got a chain with:
1) leaf cert (felipegasper.com)
2) Let’s Encrypt R3
3) … and the cert called “ISRG Root X1” that is *not*, in fact, a root cert

Cert #3 in the above is issued by the now-expired “DST Root CA X3”, so including it (understandably) “misleads” `openssl verify` into looking into its root store for that cert’s issuer, which causes a verification failure.

I notice, though, that connection handshakes succeed despite the non-self-signed “ISRG Root X1” being part of the sent chain.

Is there a way I can make `openssl verify` behave the same way as connection handshakes? So the 3 certs I have in my chain will pass OpenSSL’s dedicated verification logic?

Thank you!

-Felipe Gasper

More information about the openssl-users mailing list