So, I'm not expert but ... here's what I've discovered.
This appears to be an issue with the certificate chain, although a subtle one. From what I can discover, this domain is signed with the following certificate chain:
immoralseed.me --> R3 --> ISRG Root X1 --> DST Root CA X3
DST Root CA X3 has expired, but
ISRG Root X1 is actually self-signed.
So it appears that some software (modern browsers, etc.) all contain code that can figure out that while DST Root CA X3 has expired, which would normally make the chain invalid, it's actually not because ISRG Root X1 is self-signed too, which makes it valid. You can see this in Safari (see attached image file -- apparently I can't attach an image, but just use Safari to go to the website and look at the certificates by clicking on the lock icon)
On the other hand, openssl (and, I suspect by extension curl) do not handle this well. When I use the openssl command to explore the certificate chain, I get this:
Code: Select all
woodland:~ james$ openssl s_client -showcerts -servername immortalseed.me -connect immortalseed.me:443
CONNECTED(00000003)
depth=3 O = Digital Signature Trust Co., CN = DST Root CA X3
verify error:num=10:certificate has expired
notAfter=Sep 30 14:01:15 2021 GMT
---
Certificate chain
0 s:/CN=immortalseed.me
i:/C=US/O=Let's Encrypt/CN=R3
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
1 s:/C=US/O=Let's Encrypt/CN=R3
i:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
2 s:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
i:/O=Digital Signature Trust Co./CN=DST Root CA X3
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
---
Server certificate
subject=/CN=immortalseed.me
issuer=/C=US/O=Let's Encrypt/CN=R3
---
When curl/openssl perform this task, they rattle through the chain (immortalseed.me -> R3 -> ISRG Root X1 -> DST Root CA X3) and determine that the chain is expired, because DST Root CA X3 is expired.
One solution I've read about is to remove the DST Root CA X3 certificate, but in macOS that is on the System Roots keychain, which isn't editable.
Another solution would be for Transmission to perform the same kind of certificate validation that the browser does, but I won't pretend to know how that would happen.