Re: apt.postgresql.org repo via https will fail will some users starting 2021-10-01

public inbox for [email protected]  
help / color / mirror / Atom feed

From: Christoph Berg <[email protected]>
To: Stefan Huehner <[email protected]>
Cc: [email protected]
Cc: sysadmins <[email protected]>
Subject: Re: apt.postgresql.org repo via https will fail will some users starting 2021-10-01
Date: Thu, 9 Sep 2021 17:33:51 +0200
Message-ID: <[email protected]> (raw)
In-Reply-To: <[email protected]>
References: <[email protected]>
	<YTn/[email protected]>
	<[email protected]>

Re: Stefan Huehner
> > > - Some on the website
> > > - Think on reconfiguring certbot/Let's Encrypt on the server to switch to the alternative chain (avoiding this bug but breaking compatibility with old Android
> > 
> > That's probably rather the ca-certificates package?
> 
> Not in this case, i know a bit confusing.
> That upstream article has more details:
> https://community.letsencrypt.org/t/openssl-client-compatibility-changes-for-let-s-encrypt-certifica...
> Part: How to support older OpenSSL versions
> 
> In (not so) short: ca-certificates is fine to have trust anchor for Lets Encrypt.
> However not everybody directly trust Let's Encrypt (missing entry in their equivalent of ca-certificates (i.e. old Android).
> 
> To keep those other clients supported they employed a bit of a trick which has an 'expired root certificates' in the chain from your server-cert to their root. At the same time there is 2nd valid path. But old version of software (openssl,gnutls) just stop + fail on seeing 'expired'.
> 
> Best they could do if offer server owner (certbot parameter when requesting ssl certificate to select):

Ah, I thought you meant the end-users servers running PostgreSQL when
you said "server".

For changing the webservers, we'd need to get pginfra on board, Cc'ed
now.

Christoph

view thread (8+ messages)  latest in thread

reply

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Reply to all the recipients using the --to and --cc options:
  reply via email

  To: [email protected]
  Cc: [email protected], [email protected], [email protected]
  Subject: Re: apt.postgresql.org repo via https will fail will some users starting 2021-10-01
  In-Reply-To: <[email protected]>

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox