Bug 258993

Summary: Expired LE's DST Root CA X3 certificate in the chain
Product: Services Reporter: Jose Luis Duran <jlduran>
Component: Core InfrastructureAssignee: Cluster Admin <clusteradm>
Status: Closed Overcome By Events    
Severity: Affects Some People CC: chris, git-admin
Priority: Normal Keywords: needs-qa
Version: unspecified   
Hardware: Any   
OS: Any   

Description Jose Luis Duran 2021-10-07 22:14:49 UTC 
Some parts of the freebsd.org infrastructure, are still including Let's Encrypt's X3 recently expired certificate in their chain, producing errors with certain utilities.

For example:

% curl -O https://cgit.freebsd.org/ports/plain/security/acme.sh/Makefile
...
curl: (60) SSL certificate problem: certificate has expired
...

Will warn me about the expired cert.

With acme.sh, the issue is fixed by setting the preferred chain to ISRG^[1]:

# su -l acme -c "acme.sh --set-default-chain --preferred-chain ISRG --server letsencrypt"

At least www.freebsd.org and git.freebsd.org are affected.

^[1]: https://github.com/acmesh-official/acme.sh/wiki/Preferred-Chain
Comment 1 Jose Luis Duran 2021-10-08 03:22:54 UTC 
While it is true that an expired cert is in the chain, this can be considered part of Let's Encrypt transition strategy:

https://letsencrypt.org/2021/10/01/cert-chaining-help.html

I will close this report, as it is really not my objective to go against the grain and most clients already do the right thing.

Thank you!