Pulling a specific problem out of this thread: New issuer for letsencrypt staging
After the migration to the new staging environment certificate hierarchy (Staging Hierarchy Changes), there is a new root CA certificate with the issuer CN
Doctored Durian Root CA X3.
We've found that certificate (see New issuer for letsencrypt staging - #6 by jgehrcke) and started adding it to trust stores for testing purposes (we understand that this is insecure per se).
However, canonical chain verification algorithms won't pass because that root CA certificate is set to expire in the past, namely on
Jan 30 14:01:15 2021 GMT.
This was first reported by @harishmurali here: New issuer for letsencrypt staging - #5 by harishmurali
In some testing scenarios, one cannot simply set the individual TLS client to 'insecure' mode -- but instead, has to do so implicitly, by adding an insecure trust anchor to the trust database. This is precisely what we do; and what we'd like to be able to continue to do.
Thoughts and quick help would be appreciated. Thanks!