On Tue, May 31, 2022 at 09:55:22PM +0200, Tim Jackson via Exim-users wrote:
> Thanks for the clarification. So the issue is the client verification of the
> server cert, not a client cert.
Yes, unless I've grossly misread your description of the symptoms.
> > The DST Root CA is expired. You can configure LE to build a
> > "fullchain.pem" using the ISRG root instead. The only downside is that
> > old Android systems may no longer be able to verify your chain.
>
> OK, so my original theory was right (and, if I understand rightly, this is an
> outdated client implementation).
Yes.
> Is the solution 'certbot --preferred-chain
> "ISRG Root X1"' then? (As I mentioned, I currently use acme-tiny rather than
> certbot, which unfortunately doesn't seem to support choosing the chain [1],
> so I guess I have to switch)
Something like that. One way or another avoid the DST root.
--
Viktor.
