Trust ISRG Root X1 and ignore "cross-signature" DST Root CA X3 certificates
|Reported by:||Antonio Freixas||Owned by:|
|Keywords:||certificate, Let's Encrypt, expired||Cc:||pcjpcj|
|Component version:||Operating system type:||Windows|
|Operating system version:||10|
I have a website that uses a certificate from Let's Encrypt. FileZilla reports a chain of four certificates:
0 (Server certificate)
1 (Intermediate certificate)
2 (Intermediate certificate)
3 (Root certificate)
Certificate 0 is from Let's Encrypt
Certificate 1 is from ISRG Root X1
Certificate 2 is from DST Root CA X3
Certificate 3 says the issuer is self-signed (DST Root CA X3) and that it expired 9/30/2021.
Certificate 1 should be trusted. The DST Root CA X3 was a temporary work-around that Let's Encrypt used to get their certificates working. The expiration of their DST Root CA X1 certificate was always planned and the ISRG Root X1 certificate should be trusted.
The situation is fully explained at https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/
I don't have any idea of how FileZilla does its certificate checks, but by complaining about the expired certificate (and not allowing a user override), some sites are inaccessible through FileZilla.
If FileZilla uses OpenSSL, the notes from Let's Encrypt say it must use version 1.1.0 or later.