Questions re: OpenSSL Client Compatibility Changes for Let’s Encrypt Certificates

Nummer378 · May 17, 2021, 4:15pm

I just ran a few tests with a Debian Stretch test VM, default settings.

# cat /etc/os-release
PRETTY_NAME = "Debian GNU/Linux 9 (stretch)"

# wget https://letsencrypt.org/certs/staging/letsencrypt-stg-root-x1.pem
# wget https://letsencrypt.org/certs/staging/letsencrypt-stg-root-dst.pem
# cat letsencrypt-stg-root-dst.pem letsencrypt-stg-root-x1.pem > certs-combined.pem

# openssl version
OpenSSL 1.1.0l 10 Sep 2019

Simulating that only ISRG Root X1 is in the trust store:

# openssl s_client -connect expired-root-ca-test.germancoding.com:443 -servername expired-root-ca-test.germancoding.com -verify 1 -verifyCAfile letsencrypt-stg-root-x1.pem
-> Verification: OK

Simulating that only DST Root CA X3 is in the trust store:

# openssl s_client -connect expired-root-ca-test.germancoding.com:443 -servername expired-root-ca-test.germancoding.com -verify 1 -verifyCAfile letsencrypt-stg-root-dst.pem
-> Verification error: certificate has expired

Simulating that both DST Root CA X3 and ISRG Root X1 are in the trust store:

# openssl s_client -connect expired-root-ca-test.germancoding.com:443 -servername expired-root-ca-test.germancoding.com -verify 1 -verifyCAfile certs-combined.pem
-> Verification: OK

Topic		Replies	Views
OpenSSL Client Compatibility Changes for Let’s Encrypt Certificates API Announcements	0	73735	January 27, 2021
Join us and learn about certificate chains! Help	36	6040	October 24, 2021
Please update the "Certificate Compatibility" page to include information about the new ISRG roots Site Feedback	23	3566	July 21, 2019
Provide a valid certificate chain Help	9	1062	March 30, 2023
Why Let's Encrypt Made Me A Better Cryptographer Praise	7	1617	February 8, 2018

Questions re: OpenSSL Client Compatibility Changes for Let’s Encrypt Certificates

Related topics