[Discuss] DST Root CA X3 Expiry and CA bundles

[bill.n1vux at gmail.com (Bill Ricker)]

On Fri, Oct 1, 2021 at 9:34 PM Rich Pieri <richard.pieri at gmail.com> wrote:

> contains several expired CA certs including the now expired
> *DST Root CA X3 certificate. *
> This can cause problems with Let's Encrypt certificates
> even though the bundle has the ISRG Root X1 CA cert.


*Let's Encrypt *had posted notice of this oncoming chain-change back in
March & April, their changes to support this effective in May.
https://community.letsencrypt.org/t/production-chain-changes/150739
&
https://community.letsencrypt.org/t/providing-a-longer-certificate-chain-by-default/148738


> In my particular
> case, Sylpheed thinks my Let's Encrypt cert is expired even though
> it clearly is not. Might be a Sylpheed bug.
>

Wouldn't be the first to fail to check an alternate chain correctly.
Likely won't be the last either *sigh*  (Gotta have test cases for the
edgecases !)

*SANS Internet Storm Center* covered this pending doom in the daily podcast
for Tuesday Sep 28th (eps 7690).
https://isc.sans.edu/podcastdetail.html?id=7690 *should* show you the notes
for eps. 7690
   (but the web app is going to Friday now, and PREVIOUS just loops,
oopsie;
    but the link they provided is pasted above, i got it from the RSS feed
for you.)
https://traffic.libsyn.com/securitypodcast/7690.mp3