Opened 14 months ago
Last modified 14 months ago
#12691 new Bug report
Trust ISRG Root X1 and ignore "cross-signature" DST Root CA X3 certificates
|Reported by:||Antonio Freixas||Owned by:|
|Keywords:||certificate, Let's Encrypt, expired||Cc:||pcjpcj|
|Component version:||Operating system type:||Windows|
|Operating system version:||10|
I have a website that uses a certificate from Let's Encrypt. FileZilla reports a chain of four certificates:
0 (Server certificate)
1 (Intermediate certificate)
2 (Intermediate certificate)
3 (Root certificate)
Certificate 0 is from Let's Encrypt
Certificate 1 is from ISRG Root X1
Certificate 2 is from DST Root CA X3
Certificate 3 says the issuer is self-signed (DST Root CA X3) and that it expired 9/30/2021.
Certificate 1 should be trusted. The DST Root CA X3 was a temporary work-around that Let's Encrypt used to get their certificates working. The expiration of their DST Root CA X1 certificate was always planned and the ISRG Root X1 certificate should be trusted.
The situation is fully explained at https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/
I don't have any idea of how FileZilla does its certificate checks, but by complaining about the expired certificate (and not allowing a user override), some sites are inaccessible through FileZilla.
If FileZilla uses OpenSSL, the notes from Let's Encrypt say it must use version 1.1.0 or later.
Change History (3)
comment:1 by , 14 months ago
|Status:||new → moreinfo|
comment:2 by , 14 months ago
|Status:||moreinfo → new|
comment:3 by , 14 months ago
Filezilla actually uses GnuTLS and not OpenSSL. GnuTLS is supposed to support LetsEncrypt's new certificate chain starting with version 3.6.14. The About box on 3.58.1 on Windows 10 says it's using GnuTLS 3.7.2, which is newer than that, but I have users on one of my servers (using the above version) running into this, too, with it claiming DST X3 is expired, even though ISRG X1 is supposed to be in the trust store in that version so it should have stopped there.
Which version of FileZilla are you using?