Hello,

Sorry to write this report here, because I failed to find feedback address at chiselapp.com.

At this time, intermediate CA is incorrect at chiselapp.com. Openssl fails to validate certificate chain:

```
$ openssl s_client www.chiselapp.com:443
CONNECTED(00000194)
---
Certificate chain
 0 s:CN = chiselapp.com
   i:C = US, O = Let's Encrypt, CN = R3
 1 s:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
   i:O = Digital Signature Trust Co., CN = DST Root CA X3
---
```

You can see that CN in these certificates don't match. Here is stderr:

```
depth=0 CN = chiselapp.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = chiselapp.com
verify error:num=21:unable to verify the first certificate
verify return:1
depth=0 CN = chiselapp.com
verify return:1
```

For comparison, for site openssl.org we have the following:

```
$ openssl s_client www.openssl.org:443 2>kogogo
CONNECTED(00000184)
---
Certificate chain
 0 s:CN = www.openssl.org
   i:C = US, O = Let's Encrypt, CN = R3
 1 s:C = US, O = Let's Encrypt, CN = R3
   i:O = Digital Signature Trust Co., CN = DST Root CA X3
```

CN names match here. In stderr we have no errors:

```
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = www.openssl.org
verify return:1
```

Interestingly, the problem doesn't arise in browsers, may be because of caching of intermediate certs. See, for example, [here](https://shiftordie.de/blog/2017/02/21/fingerprinting-firefox-users-with-cached-intermediate-ca-certificates-fiprinca/) and [there](https://blog.mozilla.org/security/2020/11/13/preloading-intermediate-ca-certificates-into-firefox/).

PS: the issue arises when I use Fossil on Windows with the latest [cacert.pem](https://curl.haxx.se/ca/cacert.pem).

WBR, VZ

Could be related to https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/.