Re: [exim] TLS "certificate expired" warnings on inbound con…

Top Page
Delete this message
Reply to this message
Author: Viktor Dukhovni
Date:  
To: exim-users
Subject: Re: [exim] TLS "certificate expired" warnings on inbound connections
On Tue, May 31, 2022 at 09:55:22PM +0200, Tim Jackson via Exim-users wrote:

> Thanks for the clarification. So the issue is the client verification of the
> server cert, not a client cert.


Yes, unless I've grossly misread your description of the symptoms.

> > The DST Root CA is expired. You can configure LE to build a
> > "fullchain.pem" using the ISRG root instead. The only downside is that
> > old Android systems may no longer be able to verify your chain.
>
> OK, so my original theory was right (and, if I understand rightly, this is an
> outdated client implementation).


Yes.

> Is the solution 'certbot --preferred-chain
> "ISRG Root X1"' then? (As I mentioned, I currently use acme-tiny rather than
> certbot, which unfortunately doesn't seem to support choosing the chain [1],
> so I guess I have to switch)


Something like that. One way or another avoid the DST root.

-- 
    Viktor.