[Lynx-dev] invisible-mirror.net uses untrusted certificate

[Andreas Metzler]

Hello,

looks like invisible-mirror.net stumbled over the recent letsencrypt
change
<https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/>
it sends a chain signed by the expired R3 cert:
ametzler@argenau:/tmp/EXIM4$ gnutls-cli invisible-mirror.net
Processed 127 CA certificate(s).
Resolving 'invisible-mirror.net:443'...
Connecting to '160.153.42.69:443'...
- Certificate type: X.509
- Got a certificate list of 2 certificates.
- Certificate[0] info:
 - subject `CN=invisible-mirror.net', issuer `CN=R3,O=Let's Encrypt,C=US', 
serial 0x0361c3003e1413e8655113f8907eeb16e4b4, RSA key 2048 bits, signed using 
RSA-SHA256, activated `2021-08-01 17:19:48 UTC', expires `2021-10-30 17:19:46 
UTC', pin-sha256="LnOGaFwh9ztb+ce0tQdEB/Gx3A0dBPJjYzDn+Sdu+8A="
        Public Key ID:
                sha1:1b7234964165216ed84d88ad8d5f8c836fc01f72
                
sha256:2e7386685c21f73b5bf9c7b4b5074407f1b1dc0d1d04f2636330e7f9276efbc0
        Public Key PIN:
                pin-sha256:LnOGaFwh9ztb+ce0tQdEB/Gx3A0dBPJjYzDn+Sdu+8A=

- Certificate[1] info:
 - subject `CN=R3,O=Let's Encrypt,C=US', issuer `CN=DST Root CA X3,O=Digital 
Signature Trust Co.', serial 0x400175048314a4c8218c84a90c16cddf, RSA key 2048 
bits, signed using RSA-SHA256, activated `2020-10-07 19:21:40 UTC', expires 
`2021-09-29 19:21:40 UTC', 
pin-sha256="jQJTbIh0grw0/1TkHSumWb+Fs0Ggogr621gT3PvPKG0="
- Status: The certificate is NOT trusted. The certificate chain uses expired 
certificate.
*** PKI verification of server certificate failed...
*** Fatal error: Error in the certificate.

Net sure why it works in firefox, but it fails with lynx.

cu Andreas
-- 
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'