How can I tell if wget can support LetsEncrypt's new ISRG Root X1 certificate after DST Root CA X3 Expiration
Solution 1:
Check your certificates as before, with your choice of TLS testers, or just a browser.
Have users update their client software.
The extended life DST Root CA X3 cross sign was primarily to extend the life of old Android devices. Of course nothing regarding implementing TLS is simple. This hit a bug in old OpenSSL 1.0.2 where this didn't validate as it should.
This problem with wget requires:
- Compiled
--with-ssl=openssl
which is not the default upstream - Old end of life OpenSSL 1.0.2, which normally should not be used, but some long term support distros maintain it.
For example, RHEL 7 should be affected. EL7 fixed it by updating ca-certificates to no longer contain the expired root.
The other thing to try is server side, by renewing with the alternate Let's Encrypt chain. Dropping the DST root no longer confuses old OpenSSL, but old Android will not work.