I am suddenly getting this error message when trying receive email:
TLS handshake failure. Invalid server certificate (This certificate has expired).
I had checked my email 5 minutes previously, and it was fine. What happened in the past 5 minutes??
Edit: this is happening with both of my domains - cbiweb.com and musicianaire.ca.
Looks like this is related to the Let's Encrypt root cert expiry: https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/ - but we've already covered the bases for that. We're going over our setup now to find out where the problem is.
Should be working now.
sean Well this is both good and bad.
I set up one of my email accounts in Tbird, and it works! That's the good part.
The bad part is apparently I need to contact TheBat and tell them their client isn't accepting the certificate? And getting them to actually do something about it is like pulling teeth.
The other bad part is I might have to switch everything over to Tbird, which will be an unwanted (unnecessary) huge project.
Hi,
Last week this got a personal computer of mine that's using a fairly old operating system. Basically 1/2 of the Internet stopped working 
, including my Opalstack sites that have https enabled.
Long story short, I figured out a way to manually install and trust the ISRG Root X1 Root Certificate that Let's Encrypt now uses in place of the now-expired IdentTrust DST Root CA X3.
sean Looks like this is related to the Let's Encrypt root cert expiry: https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/ - but we've already covered the bases for that. We're going over our setup now to find out where the problem is.
I assume this root certificate switch is (at least partially) what you meant by this reply.
The thing is, my OS https sites are going to continue to be broken for anyone that hasn't installed & trusted the "ISRG Root X1" cert.
I was wondering if there is anything that can be done, server-side, to mitigate this, which still respecting the new LE root certificate.
I did some research and found the following:
I don't know enough to know whether this applies to OS, and even if it does, if it's possible for you to implement. This seems to be for servers and not clients. But maybe I've misread it.
What do you think @sean?
Thanks!
aa11 There's nothing we can do on our end to fix this. The LE root certificate is completely outside of our control.
If your freely-provided LE certificates aren't working for your site visitors then you'll need to purchase a SSL certificate from a commercial provider and install that as a manual certificate.
Understood.
Those posts I linked to seem like good leads, since they provide instructions for using "Alternate Trust Chains". They don't have anything to do with controlling LE.
The ACME protocol allows for a CA to offer alternate trust chains in order to accommodate the natural lifecycle of Root and Issuing certificates. As of this writing, the only public ACME CA that currently offers alternate trust chains is Let's Encrypt. But the instructions in this guide should work for any ACME CA.
Let's Encrypt Options
To understand why Let's Encrypt is offering multiple trust chains and why you as a site/service operator would choose one or the other, it is helpful to read the following posts [...]
Just to make sure:
Alternate trust chains are not something your going to be offering on OS?
Thanks.
