This trades one problem for another... but maybe this one is less problematic (for some):
1 Like
At least this is not problematic for OpenSSL, which ignores the (now broken) self-signature.
Other applications & libraries should be able to anchor any LE chain to ISRG Root X1 directly, ignoring DST Root CA X3 completely (either because it's expired or corrupted), this was an OpenSSL-specific issue.
4 Likes
if it doen'st care about self-sign then would it need to keep same issuer? not sure intermediate from unknown issuer in trust store would work though
1 Like
I'm pretty sure users using this hack will know of the altered state. And as it's a client thing and not a server thing, it wouldn't influence anything else but the user when inspecting the altered certificate. Sooooo, this doesn't really matter.
3 Likes
haha nice hack - I should have visited more often!
2 Likes
Hello and thank you very much for this thread - I've been looking for a solution to this problem for some time! 
4 Likes
This worked perfectly, thank you for the instructions!
Can anyone advise how to get php-fpm to use the new openssl version (openssl-1.0.2k), instead of the old one (1.0.1e)?
2 Likes
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.