I'm listing this in the "Help" category although this isn't a specific help request.
I noticed when recently convering over to use apache's mod_md that there are three certificates in the chain that gets built:
- My own cert
- R3
- ISRG Root X1 (which is in the trust store)
An additional chain is found:
- My own cert
- R3
- ISRG Root X1
- DST Root CA X3 (in the trust store, but expired)
According to ssllabs, the only path that would require ISRG Root X1 to be included are those in the case where ISRG Root X1 was signed by DST Root CA X3. DST Root CA X3 expired Sep 30, 2021
So we're basically sending along a signed copy of ISRG Root X1, when it should already be in everyone's trust store. Can someone explain the logic to this?
I checked here: Chain of Trust - Let's Encrypt and it doesnt seem to address the expiry of a root ca cert.