Re: BUG #17224: Postgres Yum repo mirror has expired SSL certificate

PG Bug reporting form <noreply@postgresql.org> writes:
> In our automation we first install the PGDG Yum repo
> pgdg-redhat-repo-latest.noarch.rpm and then install the individual
> components needed by our applications and servers.  Starting about a week
> ago, with the expiration of the Let's Encrypt! CA cert, we've been
> experiencing intermittent repo failures due to an expired SSL cert on one of
> the repo mirrors.

This indicates out-of-date software on your end.
We are aware of two possible sources of trouble:

* You might have a very out-of-date system trust store that
doesn't list the "ISRG Root X1" root certificate as trusted.

* Versions of OpenSSL up through 1.0.2 or so won't believe
that ISRG Root X1 is the cert to check for, as a result of
a hack that Let's Encrypt are using to preserve compatibility
with equally ancient Android installations.  Details and
possible workarounds are mentioned at [1].

            regards, tom lane

[1] https://www.openssl.org/blog/blog/2021/09/13/LetsEncryptRootCertExpire/