[Discuss] DST Root CA X3 Expiry and CA bundles
Bill Ricker
bill.n1vux at gmail.com
Sat Oct 2 00:47:04 EDT 2021
On Fri, Oct 1, 2021 at 9:34 PM Rich Pieri <richard.pieri at gmail.com> wrote:
> contains several expired CA certs including the now expired
> *DST Root CA X3 certificate. *
> This can cause problems with Let's Encrypt certificates
> even though the bundle has the ISRG Root X1 CA cert.
*Let's Encrypt *had posted notice of this oncoming chain-change back in
March & April, their changes to support this effective in May.
https://community.letsencrypt.org/t/production-chain-changes/150739
&
https://community.letsencrypt.org/t/providing-a-longer-certificate-chain-by-default/148738
> In my particular
> case, Sylpheed thinks my Let's Encrypt cert is expired even though
> it clearly is not. Might be a Sylpheed bug.
>
Wouldn't be the first to fail to check an alternate chain correctly.
Likely won't be the last either *sigh* (Gotta have test cases for the
edgecases !)
*SANS Internet Storm Center* covered this pending doom in the daily podcast
for Tuesday Sep 28th (eps 7690).
https://isc.sans.edu/podcastdetail.html?id=7690 *should* show you the notes
for eps. 7690
(but the web app is going to Friday now, and PREVIOUS just loops,
oopsie;
but the link they provided is pasted above, i got it from the RSS feed
for you.)
https://traffic.libsyn.com/securitypodcast/7690.mp3
More information about the Discuss
mailing list