You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
On september 30 the "DST Root CA X3" certificate from Let's Encrypt has expired (https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/). This is causing quite some issues in older clients, or clients that don't have a good path finding algorithm in place. This means you can get certificate expired errors even though there is another certificate chain that is valid.
My knowledge on this topic is really lacking, but from how I understand currently there are a few ways to solve this:
Disable the "DST Root CA X3" certificate on the client. As this needs to happen on any device this is not really a viable option.
Update the client to find the correct certificate. This is a viable option but requires all flawed clients to be updated, this is not always possible and will take a while.
Generate the certificate using shorter certificate chain. See this comment here or this post on the LE community forum.
Would it be possible to incorporate this preferred-chain strategy into the acme companion? Or at least make it an option. I tried looking for a call to certbot but couldn't find one, so I'm not sure what would be required to make that change.
The post mentioned the following command to use the shorter chain and overcome this issue:
On september 30 the "DST Root CA X3" certificate from Let's Encrypt has expired (https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/). This is causing quite some issues in older clients, or clients that don't have a good path finding algorithm in place. This means you can get certificate expired errors even though there is another certificate chain that is valid.
My knowledge on this topic is really lacking, but from how I understand currently there are a few ways to solve this:
Would it be possible to incorporate this preferred-chain strategy into the acme companion? Or at least make it an option. I tried looking for a call to
certbot
but couldn't find one, so I'm not sure what would be required to make that change.The post mentioned the following command to use the shorter chain and overcome this issue:
The text was updated successfully, but these errors were encountered: