Received: from malur.postgresql.org ([217.196.149.56])
	by arkaria.postgresql.org with esmtps
 (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256)
	(Exim 4.92)
	(envelope-from <pgsql-www-owner+archive@lists.postgresql.org>)
	id 1mpy6S-0001wL-QH
	for pgsql-www@arkaria.postgresql.org; Wed, 24 Nov 2021 19:38:49 +0000
Received: from localhost ([127.0.0.1] helo=malur.postgresql.org)
	by malur.postgresql.org with esmtp (Exim 4.92)
	(envelope-from <pgsql-www-owner+archive@lists.postgresql.org>)
	id 1mpy6R-0002l8-He
	for pgsql-www@arkaria.postgresql.org; Wed, 24 Nov 2021 19:38:47 +0000
Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29])
	by malur.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256)
	(Exim 4.92)
	(envelope-from <ebreen@wexusapp.com>)
	id 1mpy6Q-0002kz-UL
	for pgsql-www@lists.postgresql.org; Wed, 24 Nov 2021 19:38:47 +0000
Received: from mail-wm1-x329.google.com ([2a00:1450:4864:20::329])
	by magus.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_128_GCM_SHA256:128)
	(Exim 4.92)
	(envelope-from <ebreen@wexusapp.com>)
	id 1mpy6M-0002VN-Tt
	for pgsql-www@lists.postgresql.org; Wed, 24 Nov 2021 19:38:46 +0000
Received: by mail-wm1-x329.google.com with SMTP id
 p3-20020a05600c1d8300b003334fab53afso6405659wms.3
        for <pgsql-www@lists.postgresql.org>;
 Wed, 24 Nov 2021 11:38:42 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=wexusapp.com; s=google;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc;
        bh=8fE9N8ZXGb1DnDGpxO/nXqCZKE6XfikBVY21ig61KUo=;
        b=NFwQoETo+wOf2D3OvjLVvO3ltM0/tLHm4kzXD37fOrSRzQucjRgCd8l/rHtcnhj8oI
         34IxAgr7IrFd8BveL5UMn2dQFG1N9d/yTymknQc6707ffifafhEpmEaV9cfDLrB/S8R5
         OAHCwX/KXU8k64gYt0sfj+oBjEET3dPt4k5WU=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc;
        bh=8fE9N8ZXGb1DnDGpxO/nXqCZKE6XfikBVY21ig61KUo=;
        b=j6nu93AajdmPSrGQoqhpzlXhgTrAlZOr4T78ClLlXuD8xqA3ZDd6lLoQFgOxp1fsw8
         typXLe9cenK3d3649XPU7DbqVCqwP2L5Mvf5TURmSIfCjewiIBiTD9Wc2wSbIIl/yJpm
         JJQ4jPvNWjjiBlyqcx9mqQF/zLDu40847lWpZAJreQEY6X/xIqii/H7aP8dGDuKTuXVg
         V5r1oB7AeUV6bF4hv0KO6CWIu6iC6q/zdFLsu89QKlQaq+BQE8xme/bHx8Bw+VGjNJob
         Si8ivNepGV3KpgkSZAy5k3dL0wQbKjjIwYuz+KJIMxWalAZFRDzaAjs2M/LnP50AplD6
         794g==
X-Gm-Message-State: AOAM532vk32E8Rb7qhZYVJ+Jvpk3qwYumQyGGpY66S04QlglKbGfnnsq
	nBbdGZPeli4DYBp2PhX4htnMHuDT8Fnjsa1mvgQLOQ==
X-Google-Smtp-Source: 
 ABdhPJzEHbncFuPnuRDagFWK8cPuRQCo7zF3jAcalIBlSdY1ca6IFmpFzHrFGYZeSjBsms+XDy6zgqJFpZogYzrLyLA=
X-Received: by 2002:a1c:96:: with SMTP id 144mr18824964wma.126.1637782720454;
 Wed, 24 Nov 2021 11:38:40 -0800 (PST)
MIME-Version: 1.0
References: 
 <CAB_5SReU8qC80UYd6GmWNxi5tJCJvJ_FUUnVq-S5VpB8aULDaA@mail.gmail.com>
 <CABUevEz8C2Kx14Rf0hfDAnBVwHkcxnp0a6SC1znM5ZLUScFeQA@mail.gmail.com>
 <CAB_5SRf=10RqgTkbz_=wGOfDUNP2yOZ0hKTKtEHCd8RXK7PD3A@mail.gmail.com>
In-Reply-To: 
 <CAB_5SRf=10RqgTkbz_=wGOfDUNP2yOZ0hKTKtEHCd8RXK7PD3A@mail.gmail.com>
From: Edward Breen <ebreen@wexusapp.com>
Date: Wed, 24 Nov 2021 11:38:29 -0800
Message-ID: 
 <CAFNF7+ZqvqaLCtACL_1baLUZe7jBWwy9eubnFbqp0tEaPK4Ung@mail.gmail.com>
Subject: Re: Expired cert
To: Jim Mlodgenski <jimmy76@gmail.com>
Cc: Magnus Hagander <magnus@hagander.net>,
 PostgreSQL WWW <pgsql-www@lists.postgresql.org>
Content-Type: multipart/alternative; boundary="00000000000045ba5a05d18e0103"
List-Id: <pgsql-www.lists.postgresql.org>
List-Help: <https://lists.postgresql.org/manage/>
List-Subscribe: <https://lists.postgresql.org/manage/>
List-Post: <mailto:pgsql-www@lists.postgresql.org>
List-Owner: <mailto:pgsql-www-owner@lists.postgresql.org>
List-Archive: <https://www.postgresql.org/list/pgsql-www>
Archived-At: 
 <https://www.postgresql.org/message-id/CAFNF7%2BZqvqaLCtACL_1baLUZe7jBWwy9eubnFbqp0tEaPK4Ung%40mail.gmail.com>
Precedence: bulk

--00000000000045ba5a05d18e0103
Content-Type: text/plain; charset="UTF-8"

It appears the issue isn't fully resolved. I still see the expired root
certificate DST Root CA X3 with openssl:

% openssl s_client -connect www.postgresql.org:443 -servername
www.postgresql.org

CONNECTED(00000007)
depth=1 O = Digital Signature Trust Co., CN = DST Root CA X3
verify error:num=10:certificate has expired
notAfter=Sep 30 14:01:15 2021 GMT
verify return:0
depth=1 O = Digital Signature Trust Co., CN = DST Root CA X3
verify error:num=10:certificate has expired
notAfter=Sep 30 14:01:15 2021 GMT
verify return:0
depth=3 O = Digital Signature Trust Co., CN = DST Root CA X3
verify error:num=10:certificate has expired
notAfter=Sep 30 14:01:15 2021 GMT
verify return:0
---
Certificate chain
 0 s:/CN=www.postgresql.org
   i:/C=US/O=Let's Encrypt/CN=R3
 1 s:/C=US/O=Let's Encrypt/CN=R3
   i:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
 2 s:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3
---

Best,
Edward Breen
Software Engineer
Wexus Technologies Inc.
ebreen@wexusapp.com


On Wed, Nov 24, 2021 at 11:35 AM Jim Mlodgenski <jimmy76@gmail.com> wrote:

> On Fri, Oct 8, 2021 at 11:42 AM Magnus Hagander <magnus@hagander.net>
> wrote:
> >
> > More to the point, your client needs a nudge.  The certificate has not
> expired, but you are using a version of OpenSSL that's terribly out of
> date. All (or most at least? But I think all) non-EOL distros should do
> that by default if you just apply their updates. See for example
> https://letsencrypt.org/2021/10/01/cert-chaining-help.html and
> https://letsencrypt.org/docs/certificate-compatibility/
> >
> Thanks. I didn't notice the root cert expired last week. Updating
> OpenSSL did the trick.
>
>
>
>
>

--00000000000045ba5a05d18e0103
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr">It appears the issue isn&#39;t fully resolved. I still see=
 the expired root certificate DST Root CA X3 with=C2=A0openssl:<div><br></d=
iv><div><font face=3D"monospace">% openssl s_client -connect <a href=3D"htt=
p://www.postgresql.org:443">www.postgresql.org:443</a> -servername <a href=
=3D"http://www.postgresql.org">www.postgresql.org</a></font></div><div><fon=
t face=3D"monospace"><br></font></div><div><font face=3D"monospace">CONNECT=
ED(00000007)<br>depth=3D1 O =3D Digital Signature Trust Co., CN =3D DST Roo=
t CA X3<br>verify error:num=3D10:certificate has expired<br>notAfter=3DSep =
30 14:01:15 2021 GMT<br>verify return:0<br>depth=3D1 O =3D Digital Signatur=
e Trust Co., CN =3D DST Root CA X3<br>verify error:num=3D10:certificate has=
 expired<br>notAfter=3DSep 30 14:01:15 2021 GMT<br>verify return:0<br>depth=
=3D3 O =3D Digital Signature Trust Co., CN =3D DST Root CA X3<br>verify err=
or:num=3D10:certificate has expired<br>notAfter=3DSep 30 14:01:15 2021 GMT<=
br>verify return:0<br>---<br>Certificate chain<br>=C2=A00 s:/CN=3D<a href=
=3D"http://www.postgresql.org">www.postgresql.org</a><br>=C2=A0 =C2=A0i:/C=
=3DUS/O=3DLet&#39;s Encrypt/CN=3DR3<br>=C2=A01 s:/C=3DUS/O=3DLet&#39;s Encr=
ypt/CN=3DR3<br>=C2=A0 =C2=A0i:/C=3DUS/O=3DInternet Security Research Group/=
CN=3DISRG Root X1<br>=C2=A02 s:/C=3DUS/O=3DInternet Security Research Group=
/CN=3DISRG Root X1<br>=C2=A0 =C2=A0i:/O=3DDigital Signature Trust Co./CN=3D=
DST Root CA X3<br>---</font></div><div><br></div><div>Best,<br clear=3D"all=
"><div><div dir=3D"ltr" class=3D"gmail_signature" data-smartmail=3D"gmail_s=
ignature"><div dir=3D"ltr"><div><div dir=3D"ltr"><div style=3D"font-size:sm=
all">Edward Breen</div><div style=3D"font-size:small">Software Engineer</di=
v><div style=3D"font-size:small">Wexus Technologies Inc.</div><div style=3D=
"font-size:small"><a href=3D"mailto:ebreen@wexusapp.com" target=3D"_blank">=
ebreen@wexusapp.com</a></div></div></div></div></div></div><br></div></div>=
<br><div class=3D"gmail_quote"><div dir=3D"ltr" class=3D"gmail_attr">On Wed=
, Nov 24, 2021 at 11:35 AM Jim Mlodgenski &lt;<a href=3D"mailto:jimmy76@gma=
il.com">jimmy76@gmail.com</a>&gt; wrote:<br></div><blockquote class=3D"gmai=
l_quote" style=3D"margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,20=
4,204);padding-left:1ex">On Fri, Oct 8, 2021 at 11:42 AM Magnus Hagander &l=
t;<a href=3D"mailto:magnus@hagander.net" target=3D"_blank">magnus@hagander.=
net</a>&gt; wrote:<br>
&gt;<br>
&gt; More to the point, your client needs a nudge.=C2=A0 The certificate ha=
s not expired, but you are using a version of OpenSSL that&#39;s terribly o=
ut of date. All (or most at least? But I think all) non-EOL distros should =
do that by default if you just apply their updates. See for example <a href=
=3D"https://letsencrypt.org/2021/10/01/cert-chaining-help.html" rel=3D"nore=
ferrer" target=3D"_blank">https://letsencrypt.org/2021/10/01/cert-chaining-=
help.html</a> and <a href=3D"https://letsencrypt.org/docs/certificate-compa=
tibility/" rel=3D"noreferrer" target=3D"_blank">https://letsencrypt.org/doc=
s/certificate-compatibility/</a><br>
&gt;<br>
Thanks. I didn&#39;t notice the root cert expired last week. Updating<br>
OpenSSL did the trick.<br>
<br>
<br>
<br>
<br>
</blockquote></div>

--00000000000045ba5a05d18e0103--