public inbox for [email protected]help / color / mirror / Atom feed
Expired cert 5+ messages / 4 participants [nested] [flat]
* Expired cert @ 2021-10-08 15:27 Jim Mlodgenski <[email protected]> 2021-10-08 15:42 ` Re: Expired cert Magnus Hagander <[email protected]> 0 siblings, 1 reply; 5+ messages in thread From: Jim Mlodgenski @ 2021-10-08 15:27 UTC (permalink / raw) To: [email protected] It looks like Let's Encrypt needs to be nudge on one of the servers wget https://www.postgresql.org --2021-10-08 15:24:33-- https://www.postgresql.org/ Resolving www.postgresql.org (www.postgresql.org)... 87.238.57.232, 72.32.157.230, 217.196.149.50, ... Connecting to www.postgresql.org (www.postgresql.org)|87.238.57.232|:443... connected. ERROR: cannot verify www.postgresql.org's certificate, issued by ‘/C=US/O=Let's Encrypt/CN=R3’: Issued certificate has expired. To connect to www.postgresql.org insecurely, use `--no-check-certificate'. ^ permalink raw reply [nested|flat] 5+ messages in thread
* Re: Expired cert 2021-10-08 15:27 Expired cert Jim Mlodgenski <[email protected]> @ 2021-10-08 15:42 ` Magnus Hagander <[email protected]> 2021-10-08 16:17 ` Re: Expired cert Jim Mlodgenski <[email protected]> 0 siblings, 1 reply; 5+ messages in thread From: Magnus Hagander @ 2021-10-08 15:42 UTC (permalink / raw) To: Jim Mlodgenski <[email protected]>; +Cc: PostgreSQL WWW <[email protected]> On Fri, Oct 8, 2021 at 5:27 PM Jim Mlodgenski <[email protected]> wrote: > It looks like Let's Encrypt needs to be nudge on one of the servers > More to the point, your client needs a nudge. The certificate has not expired, but you are using a version of OpenSSL that's terribly out of date. All (or most at least? But I think all) non-EOL distros should do that by default if you just apply their updates. See for example https://letsencrypt.org/2021/10/01/cert-chaining-help.html and https://letsencrypt.org/docs/certificate-compatibility/ -- Magnus Hagander Me: https://www.hagander.net/ <http://www.hagander.net/; Work: https://www.redpill-linpro.com/ <http://www.redpill-linpro.com/; ^ permalink raw reply [nested|flat] 5+ messages in thread
* Re: Expired cert 2021-10-08 15:27 Expired cert Jim Mlodgenski <[email protected]> 2021-10-08 15:42 ` Re: Expired cert Magnus Hagander <[email protected]> @ 2021-10-08 16:17 ` Jim Mlodgenski <[email protected]> 2021-11-24 19:38 ` Re: Expired cert Edward Breen <[email protected]> 0 siblings, 1 reply; 5+ messages in thread From: Jim Mlodgenski @ 2021-10-08 16:17 UTC (permalink / raw) To: Magnus Hagander <[email protected]>; +Cc: PostgreSQL WWW <[email protected]> On Fri, Oct 8, 2021 at 11:42 AM Magnus Hagander <[email protected]> wrote: > > More to the point, your client needs a nudge. The certificate has not expired, but you are using a version of OpenSSL that's terribly out of date. All (or most at least? But I think all) non-EOL distros should do that by default if you just apply their updates. See for example https://letsencrypt.org/2021/10/01/cert-chaining-help.html and https://letsencrypt.org/docs/certificate-compatibility/ > Thanks. I didn't notice the root cert expired last week. Updating OpenSSL did the trick. ^ permalink raw reply [nested|flat] 5+ messages in thread
* Re: Expired cert 2021-10-08 15:27 Expired cert Jim Mlodgenski <[email protected]> 2021-10-08 15:42 ` Re: Expired cert Magnus Hagander <[email protected]> 2021-10-08 16:17 ` Re: Expired cert Jim Mlodgenski <[email protected]> @ 2021-11-24 19:38 ` Edward Breen <[email protected]> 2021-11-24 20:01 ` Re: Expired cert Tom Lane <[email protected]> 0 siblings, 1 reply; 5+ messages in thread From: Edward Breen @ 2021-11-24 19:38 UTC (permalink / raw) To: Jim Mlodgenski <[email protected]>; +Cc: Magnus Hagander <[email protected]>; PostgreSQL WWW <[email protected]> It appears the issue isn't fully resolved. I still see the expired root certificate DST Root CA X3 with openssl: % openssl s_client -connect www.postgresql.org:443 -servername www.postgresql.org CONNECTED(00000007) depth=1 O = Digital Signature Trust Co., CN = DST Root CA X3 verify error:num=10:certificate has expired notAfter=Sep 30 14:01:15 2021 GMT verify return:0 depth=1 O = Digital Signature Trust Co., CN = DST Root CA X3 verify error:num=10:certificate has expired notAfter=Sep 30 14:01:15 2021 GMT verify return:0 depth=3 O = Digital Signature Trust Co., CN = DST Root CA X3 verify error:num=10:certificate has expired notAfter=Sep 30 14:01:15 2021 GMT verify return:0 --- Certificate chain 0 s:/CN=www.postgresql.org i:/C=US/O=Let's Encrypt/CN=R3 1 s:/C=US/O=Let's Encrypt/CN=R3 i:/C=US/O=Internet Security Research Group/CN=ISRG Root X1 2 s:/C=US/O=Internet Security Research Group/CN=ISRG Root X1 i:/O=Digital Signature Trust Co./CN=DST Root CA X3 --- Best, Edward Breen Software Engineer Wexus Technologies Inc. [email protected] On Wed, Nov 24, 2021 at 11:35 AM Jim Mlodgenski <[email protected]> wrote: > On Fri, Oct 8, 2021 at 11:42 AM Magnus Hagander <[email protected]> > wrote: > > > > More to the point, your client needs a nudge. The certificate has not > expired, but you are using a version of OpenSSL that's terribly out of > date. All (or most at least? But I think all) non-EOL distros should do > that by default if you just apply their updates. See for example > https://letsencrypt.org/2021/10/01/cert-chaining-help.html and > https://letsencrypt.org/docs/certificate-compatibility/ > > > Thanks. I didn't notice the root cert expired last week. Updating > OpenSSL did the trick. > > > > > ^ permalink raw reply [nested|flat] 5+ messages in thread
* Re: Expired cert 2021-10-08 15:27 Expired cert Jim Mlodgenski <[email protected]> 2021-10-08 15:42 ` Re: Expired cert Magnus Hagander <[email protected]> 2021-10-08 16:17 ` Re: Expired cert Jim Mlodgenski <[email protected]> 2021-11-24 19:38 ` Re: Expired cert Edward Breen <[email protected]> @ 2021-11-24 20:01 ` Tom Lane <[email protected]> 0 siblings, 0 replies; 5+ messages in thread From: Tom Lane @ 2021-11-24 20:01 UTC (permalink / raw) To: Edward Breen <[email protected]>; +Cc: Jim Mlodgenski <[email protected]>; Magnus Hagander <[email protected]>; PostgreSQL WWW <[email protected]> Edward Breen <[email protected]> writes: > It appears the issue isn't fully resolved. I still see the expired root > certificate DST Root CA X3 with openssl: > % openssl s_client -connect www.postgresql.org:443 -servername > www.postgresql.org This did before, and still does, indicate either an obsolete system trust store or an obsolete OpenSSL version on your end. You need to make sure the "ISRG Root X1" cert is trusted by your machine, and you need to make sure you're running moderately recent OpenSSL (preferably > 1.0.2). If the latter is impractical, there are workarounds here: https://www.openssl.org/blog/blog/2021/09/13/LetsEncryptRootCertExpire/ regards, tom lane ^ permalink raw reply [nested|flat] 5+ messages in thread
end of thread, other threads:[~2021-11-24 20:01 UTC | newest] Thread overview: 5+ messages (download: mbox mbox.gz follow: Atom feed) -- links below jump to the message on this page -- 2021-10-08 15:27 Expired cert Jim Mlodgenski <[email protected]> 2021-10-08 15:42 ` Magnus Hagander <[email protected]> 2021-10-08 16:17 ` Jim Mlodgenski <[email protected]> 2021-11-24 19:38 ` Edward Breen <[email protected]> 2021-11-24 20:01 ` Tom Lane <[email protected]>
This inbox is served by agora; see mirroring instructions for how to clone and mirror all data and code used for this inbox