On 17/10/2024 02:42, Leon Fauster via Discuss wrote:

FYI: https://discussion.fedoraproject.org/t/invalid-certificate-trust-chain-for-c...

Yes, and I already fixed this (and then replied to the thread that I don't have a look at on discourse)

Long story short, our automation was relying on some symlinks based on number of CA that were used to sign various certs (internal, letsencrypt, others) but since June 2024, Letsencrypt is switching (round-robin) between multiple intermediate CA (see https://letsencrypt.org/certificates/)

So it was detected yesterday and pushed to take that into account (one cert could have been initially signed by R10 but then renewed on R11 - and vice/versa)