Giovanni Biscuolo 写道：
> Jack Hill <jackhill@jackhill.us> writes:
>> The error wget gives is a little bit better,

FWIW, I use this (extremely verbose) command to debug/check my own 
servers:

  $ openssl s_client -showcerts -servername 
  voices.transparency.org \
    -connect voices.transparency.org:443

>> Therefore, I think the fix is for voices.transparency.org to 
>> update the 
>> certificate chain/bundle that they are sending.

They're also sending intermediate certificates that they shouldn't 
be sending in the first place[0] which doesn't help matters.  I 
agree that this looks like an outdated server (mis)configuration.

> Yes. All modern clients and operating systems have the newer, 
> modern
> COMODO and USERTrust roots which don’t expire until 2038.

Right, but ‘modern’ there means ~2015.

Kind regards,

T G-R

[0]: 
https://www.ssllabs.com/ssltest/analyze.html?d=voices.transparency.org&s=52.4.38.70&hideResults=on