We have a hosted customer for which we supply a Let’s Encrypt certificate. They are trying to complete PCI certification and one of the failure points is that there is an SHA-1 signed certificate in the chain.
They are reporting:
The following known CA certificates were part of the certificate chain sent by
the remote host, but contain hashes that are considered to be weak. |-Subject
: O=Digital Signature Trust Co./CN=DST Root CA X3 |-Signature Algorithm :
SHA-1 With RSA Encryption |-Valid From : Sep 30 21:12:19 2000 GMT |-Valid To
: Sep 30 14:01:15 2021 GMT
SHA-1 signed certificates that expire after January 1, 2017 are not allowed.
Is there any plan to update the certificate chain?