The exact setup here varies depending on which ACME client you're using, but in all cases the webserver should use only files from the ACME client's "live" or "output" folder. For example, the issued server certificate is being read from the cert.pem updated by your ACME client like it should, but the "certificate chain" is being read from a chain.pem that's been manually copy&pasted and so isn't picking up the updates from ACME. Or, the certificate is being auto-renewed, but the automation is giving the wrong certificate file to the web server. Or perhaps the ACME client you have was ACMEv1-only, and stopped working when LE fully replaced that with ACMEv2, so automatic renewals stopped happening as well.Forcing a renewal would probably fix the issue. The certificate was installed manually, without setting up any automatic renewal, and left like that for several years (and nobody cared about it expiring). In other words, your s_client output shows a very outdated certificate chain – one that LE's ACME servers stopped providing long ago, even long before the Sep2021 DST expiry. (Other similar threads that are 'solved' by uninstalling the DST CA are actually using a newer certificate chain, one where the LE intermediate is instead signed by ISRG CA and that is cross-signed by DST CA, allowing for two alternative validation paths.) The chain that you're seeing used to be correct a very long time ago, before the "ISRG Root CA" was established.
#Openssl unable to get local issuer certificate update
The trusted CA update isn't going to help here (yet), because the server is currently offering outdated LE intermediates that can only be linked to DST CA – the TLS client has no way of associating it with the ISRG CA in the first place. Your issue is related to DST X1, but actually goes a bit deeper than the usual "expired CA" topics.
0 kommentar(er)
