Hello,
https://www.openssl.org/blog/blog/2021/09/13/LetsEncryptRootCertExpire/
^^ This document indicates that, by enabling trusted-first mode, I should be
able to work around the LE expiration problem.
I’m either misunderstanding this or “holding it wrong”, though, because I can’t
see that setup making any difference.
I’ve got a chain with:
1) leaf cert (felipegasper.com)
2) Let’s Encrypt R3
3) … and the cert called “ISRG Root X1” that is *not*, in fact, a root cert
Cert #3 in the above is issued by the now-expired “DST Root CA X3”, so
including it (understandably) “misleads” `openssl verify` into looking into its
root store for that cert’s issuer, which causes a verification failure.
I notice, though, that connection handshakes succeed despite the
non-self-signed “ISRG Root X1” being part of the sent chain.
Is there a way I can make `openssl verify` behave the same way as connection
handshakes? So the 3 certs I have in my chain will pass OpenSSL’s dedicated
verification logic?
Thank you!
cheers,
-Felipe Gasper
