On Sun, Jul 18, 2021 at 06:29:41PM +0200, Andreas Metzler via Exim-users wrote:
> I do not think so. Both exim 4.94.2 and gnutls-cli and s_client[1] are
> happy with the cert setup. It is a straightforward Let's Encrypt chain.
>
> 0 s:CN = vsrv21575.customer.vlinux.de
> i:C = US, O = Let's Encrypt, CN = R3
> 1 s:C = US, O = Let's Encrypt, CN = R3
> i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
> 2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1
> i:O = Digital Signature Trust Co., CN = DST Root CA X3
The self-signature on the DST Root CA X3 is SHA-1, any chance the new
Exim discriminates against SHA-1 self-signed roots? This root CA
expires on 2021-09-30...
FWIW, OpenSSL will typically ignore the depth 2 certificate by finding
the "ISRG X1" root in the local trust store. I don't know what GnuTLS
does, or whether the ISRG Root is installed in the GnuTLS trust store
on your system.
--
Viktor.