Hello, https://www.openssl.org/blog/blog/2021/09/13/LetsEncryptRootCertExpire/ ^^ This document indicates that, by enabling trusted-first mode, I should be able to work around the LE expiration problem. I’m either misunderstanding this or “holding it wrong”, though, because I can’t see that setup making any difference. I’ve got a chain with: 1) leaf cert (felipegasper.com) 2) Let’s Encrypt R3 3) … and the cert called “ISRG Root X1” that is *not*, in fact, a root cert Cert #3 in the above is issued by the now-expired “DST Root CA X3”, so including it (understandably) “misleads” `openssl verify` into looking into its root store for that cert’s issuer, which causes a verification failure. I notice, though, that connection handshakes succeed despite the non-self-signed “ISRG Root X1” being part of the sent chain. Is there a way I can make `openssl verify` behave the same way as connection handshakes? So the 3 certs I have in my chain will pass OpenSSL’s dedicated verification logic? Thank you! cheers, -Felipe Gasper
