LE/DST expired root: workaround #2
Felipe Gasper
felipe at felipegasper.com
Fri Oct 1 01:28:17 UTC 2021
Hello,
https://www.openssl.org/blog/blog/2021/09/13/LetsEncryptRootCertExpire/
^^ This document indicates that, by enabling trusted-first mode, I should be able to work around the LE expiration problem.
I’m either misunderstanding this or “holding it wrong”, though, because I can’t see that setup making any difference.
I’ve got a chain with:
1) leaf cert (felipegasper.com)
2) Let’s Encrypt R3
3) … and the cert called “ISRG Root X1” that is *not*, in fact, a root cert
Cert #3 in the above is issued by the now-expired “DST Root CA X3”, so including it (understandably) “misleads” `openssl verify` into looking into its root store for that cert’s issuer, which causes a verification failure.
I notice, though, that connection handshakes succeed despite the non-self-signed “ISRG Root X1” being part of the sent chain.
Is there a way I can make `openssl verify` behave the same way as connection handshakes? So the 3 certs I have in my chain will pass OpenSSL’s dedicated verification logic?
Thank you!
cheers,
-Felipe Gasper
More information about the openssl-users
mailing list