Opened 2 years ago

Last modified 2 years ago

#12691 new Bug report

Trust ISRG Root X1 and ignore "cross-signature" DST Root CA X3 certificates

Reported by: Antonio Freixas Owned by:
Priority: normal Component: FileZilla Client
Keywords: certificate, Let's Encrypt, expired Cc: pcjpcj
Component version: Operating system type: Windows
Operating system version: 10


I have a website that uses a certificate from Let's Encrypt. FileZilla reports a chain of four certificates:

0 (Server certificate)
1 (Intermediate certificate)
2 (Intermediate certificate)
3 (Root certificate)

Certificate 0 is from Let's Encrypt
Certificate 1 is from ISRG Root X1
Certificate 2 is from DST Root CA X3
Certificate 3 says the issuer is self-signed (DST Root CA X3) and that it expired 9/30/2021.

Certificate 1 should be trusted. The DST Root CA X3 was a temporary work-around that Let's Encrypt used to get their certificates working. The expiration of their DST Root CA X1 certificate was always planned and the ISRG Root X1 certificate should be trusted.

The situation is fully explained at

I don't have any idea of how FileZilla does its certificate checks, but by complaining about the expired certificate (and not allowing a user override), some sites are inaccessible through FileZilla.

If FileZilla uses OpenSSL, the notes from Let's Encrypt say it must use version 1.1.0 or later.

Change History (3)

comment:1 by Tim Kosse, 2 years ago

Status: newmoreinfo

Which version of FileZilla are you using?

comment:2 by Antonio Freixas, 2 years ago

Status: moreinfonew


comment:3 by pcjpcj, 2 years ago

Cc: pcjpcj added

Filezilla actually uses GnuTLS and not OpenSSL. GnuTLS is supposed to support LetsEncrypt's new certificate chain starting with version 3.6.14. The About box on 3.58.1 on Windows 10 says it's using GnuTLS 3.7.2, which is newer than that, but I have users on one of my servers (using the above version) running into this, too, with it claiming DST X3 is expired, even though ISRG X1 is supposed to be in the trust store in that version so it should have stopped there.

Note: See TracTickets for help on using tickets.