Hello,

Sorry to write this report here, because I failed to find feedback address at chiselapp.com.

At this time, intermediate CA is incorrect at chiselapp.com. Openssl fails to validate certificate chain:

$ openssl s_client www.chiselapp.com:443
CONNECTED(00000194)
---
Certificate chain
 0 s:CN = chiselapp.com
   i:C = US, O = Let's Encrypt, CN = R3
 1 s:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
   i:O = Digital Signature Trust Co., CN = DST Root CA X3
---

You can see that CN in these certificates don't match. Here is stderr:

depth=0 CN = chiselapp.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = chiselapp.com
verify error:num=21:unable to verify the first certificate
verify return:1
depth=0 CN = chiselapp.com
verify return:1

For comparison, for site openssl.org we have the following:

$ openssl s_client www.openssl.org:443 2>kogogo
CONNECTED(00000184)
---
Certificate chain
 0 s:CN = www.openssl.org
   i:C = US, O = Let's Encrypt, CN = R3
 1 s:C = US, O = Let's Encrypt, CN = R3
   i:O = Digital Signature Trust Co., CN = DST Root CA X3

CN names match here. In stderr we have no errors:

depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = www.openssl.org
verify return:1

Interestingly, the problem doesn't arise in browsers, may be because of caching of intermediate certs. See, for example, here and there.

PS: the issue arises when I use Fossil on Windows with the latest cacert.pem.

WBR, VZ

Could be related to https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/.