From: Tom Lane <tgl@sss.pgh.pa.us>
To: Edward Breen <ebreen@wexusapp.com>
cc: Jim Mlodgenski <jimmy76@gmail.com>, Magnus Hagander <magnus@hagander.net>,
        PostgreSQL WWW <pgsql-www@lists.postgresql.org>
Subject: Re: Expired cert
In-reply-to: 
 <CAFNF7+ZqvqaLCtACL_1baLUZe7jBWwy9eubnFbqp0tEaPK4Ung@mail.gmail.com>
References: 
 <CAB_5SReU8qC80UYd6GmWNxi5tJCJvJ_FUUnVq-S5VpB8aULDaA@mail.gmail.com>
 <CABUevEz8C2Kx14Rf0hfDAnBVwHkcxnp0a6SC1znM5ZLUScFeQA@mail.gmail.com>
 <CAB_5SRf=10RqgTkbz_=wGOfDUNP2yOZ0hKTKtEHCd8RXK7PD3A@mail.gmail.com>
 <CAFNF7+ZqvqaLCtACL_1baLUZe7jBWwy9eubnFbqp0tEaPK4Ung@mail.gmail.com>
Comments: In-reply-to Edward Breen <ebreen@wexusapp.com>
	message dated "Wed, 24 Nov 2021 11:38:29 -0800"
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-ID: <187809.1637784093.1@sss.pgh.pa.us>
Date: Wed, 24 Nov 2021 15:01:33 -0500
Message-ID: <187810.1637784093@sss.pgh.pa.us>
Archived-At: 
 <https://www.postgresql.org/message-id/187810.1637784093%40sss.pgh.pa.us>
Precedence: bulk

Edward Breen <ebreen@wexusapp.com> writes:
> It appears the issue isn't fully resolved. I still see the expired root
> certificate DST Root CA X3 with openssl:
> % openssl s_client -connect www.postgresql.org:443 -servername
> www.postgresql.org

This did before, and still does, indicate either an obsolete system trust
store or an obsolete OpenSSL version on your end.  You need to make sure
the "ISRG Root X1" cert is trusted by your machine, and you need to make
sure you're running moderately recent OpenSSL (preferably > 1.0.2).
If the latter is impractical, there are workarounds here:

https://www.openssl.org/blog/blog/2021/09/13/LetsEncryptRootCertExpire/

			regards, tom lane