Christoph Moench-Tegeder <cmt@xxxxxxxxxxxxxx> writes:
> I do know from my own experience that at least the "old" (2020.2.something)
> Redhat package is missing the new "ISRG Root X1" certificate, you'll
> need version 2021.2.something.
Seems unlikely that it changed that recently, for a couple of reasons:
* AFAICT, Red Hat's policy is to track the Mozilla NSS trusted-CA
list exactly. They do update from there only once a year or so,
but NSS has trusted ISRG Root X1 for five years.
* Looking at "rpm -q ca-certificates --changelog" on a RHEL8 machine,
the package maintainer appears to have started a policy in mid-2019
of listing every single cert addition and removal in the changelog.
None of the updates since then mention ISRG Root X1.
* While Let's Encrypt's list of compatible platforms [1] doesn't mention
Red Hat directly, they do say that NSS has trusted X1 since release 3.26.
According to the changelog, Red Hat adopted that in August 2016:
* Tue Aug 16 2016 Kai Engert <kaie@xxxxxxxxxx> - 2016.2.9-3
- Revert to the unmodified upstream CA list, changing the legacy trust
to an empty list. Keeping the ca-legacy tool and existing config,
however, the configuration has no effect after this change.
* Tue Aug 16 2016 Kai Engert <kaie@xxxxxxxxxx> - 2016.2.9-2
- Update to CKBI 2.9 from NSS 3.26 with legacy modifications
So it sure looks from here like Red Hat has trusted the X1 certificate
since mid-2016, pretty much the same length of time as other major
distros. The most probable explanation for the OP's problem seems
to be failure to update ca-certificates and/or openssl at all for
several years.
regards, tom lane
[1] https://letsencrypt.org/docs/certificate-compatibility/
