We got a load of SSL warnings from our sites yesterday, and it looks like they all have well in date certs, but they are all using the Lets Encrypt DST Root CA X3 and the intermediate R3 that will expire in < 1 week.
I’ve even just create a new site and new cert via certify the web and
openssl.exe s_client -connect my.new.site:443
is still showing:
Certificate chain 0 s:CN = my.new.site i:C = US, O = Let's Encrypt, CN = R3 1 s:C = US, O = Let's Encrypt, CN = R3 i:O = Digital Signature Trust Co., CN = DST Root CA X3
This is all on Windows with IIS. Do I need to manually install the new ISRG Root X1 manually on the server somehow? I’ve been reading thread after thread here and elsewhere and I’ve not been able to work it out.
update: Even after upgrading to 5.5.4 and rebooting - the ISRG Root X1 is now there, but requesting a new cert still appears to use the old chain