Re: Stefan Huehner
> > > - Some on the website
> > > - Think on reconfiguring certbot/Let's Encrypt on the server to switch to the alternative chain (avoiding this
bugbut breaking compatibility with old Android
> >
> > That's probably rather the ca-certificates package?
>
> Not in this case, i know a bit confusing.
> That upstream article has more details:
> https://community.letsencrypt.org/t/openssl-client-compatibility-changes-for-let-s-encrypt-certificates/143816
> Part: How to support older OpenSSL versions
>
> In (not so) short: ca-certificates is fine to have trust anchor for Lets Encrypt.
> However not everybody directly trust Let's Encrypt (missing entry in their equivalent of ca-certificates (i.e. old
Android).
>
> To keep those other clients supported they employed a bit of a trick which has an 'expired root certificates' in the
chainfrom your server-cert to their root. At the same time there is 2nd valid path. But old version of software
(openssl,gnutls)just stop + fail on seeing 'expired'.
>
> Best they could do if offer server owner (certbot parameter when requesting ssl certificate to select):
Ah, I thought you meant the end-users servers running PostgreSQL when
you said "server".
For changing the webservers, we'd need to get pginfra on board, Cc'ed
now.
Christoph