Issue
the `DST Root CA X3` in the cert chain and it is expired, the device will not trust
Fix
Add the
preferred_chains
option in thetls
section, and set the value tosmallest
, and Don’t usingroot_common_name "ISRG Root X1"
, it will keep theDST Root CA X3
in the cert chain1
2
3
4
5
6
7
8
9your.dns-domain.com {
tls {
issuer acme {
preferred_chains smallest
}
}
respond "It's work!"
}Stop the caddy server
1
service caddy stop
Remove the related domain cert files
1
rm -rf /path/to/your/caddy/certs/data/*
Start the caddy server
1
service caddy start
Restart the custom domain name server (DNS) and make sure it is using the new issued certs
Others
Check domain cert chain (openssl)
1
openssl s_client -showcerts -servername your.dns-domain.com -connect your.dns-domain.com:853
Other tools
1
https://crt.sh/