what I call by lazyload problem:
EDIT: Summary of the issue after discussion below and more fiddling around.
- Some W10 versions don't ship with ISRG root baked in
- If a browser (IE, Edge or Chrome) encounters an ISRG root signed certificate, it DOES lazy load the ISRG root and it DOES appear in the root store.
That being said, non-browser OS subsystems (like rasdial, maybe others) do NOT trigger this flow and the chain cannot be verified until the ISRG root is lazy loaded through a browser.
The real "issue" here is that Rasdial is referencing the on-disk root store without using the OS's built in validation routines, and therefore isn't able to take advantage of the OS's lazy-loading.
maybe seafile have same problem?