Thread: Expired cert
It looks like Let's Encrypt needs to be nudge on one of the servers wget https://www.postgresql.org --2021-10-08 15:24:33-- https://www.postgresql.org/ Resolving www.postgresql.org (www.postgresql.org)... 87.238.57.232, 72.32.157.230, 217.196.149.50, ... Connecting to www.postgresql.org (www.postgresql.org)|87.238.57.232|:443... connected. ERROR: cannot verify www.postgresql.org's certificate, issued by ‘/C=US/O=Let's Encrypt/CN=R3’: Issued certificate has expired. To connect to www.postgresql.org insecurely, use `--no-check-certificate'.
On Fri, Oct 8, 2021 at 5:27 PM Jim Mlodgenski <jimmy76@gmail.com> wrote:
It looks like Let's Encrypt needs to be nudge on one of the servers
More to the point, your client needs a nudge. The certificate has not expired, but you are using a version of OpenSSL that's terribly out of date. All (or most at least? But I think all) non-EOL distros should do that by default if you just apply their updates. See for example https://letsencrypt.org/2021/10/01/cert-chaining-help.html and https://letsencrypt.org/docs/certificate-compatibility/
On Fri, Oct 8, 2021 at 11:42 AM Magnus Hagander <magnus@hagander.net> wrote: > > More to the point, your client needs a nudge. The certificate has not expired, but you are using a version of OpenSSLthat's terribly out of date. All (or most at least? But I think all) non-EOL distros should do that by default ifyou just apply their updates. See for example https://letsencrypt.org/2021/10/01/cert-chaining-help.html and https://letsencrypt.org/docs/certificate-compatibility/ > Thanks. I didn't notice the root cert expired last week. Updating OpenSSL did the trick.
It appears the issue isn't fully resolved. I still see the expired root certificate DST Root CA X3 with openssl:
% openssl s_client -connect www.postgresql.org:443 -servername www.postgresql.org
CONNECTED(00000007)
depth=1 O = Digital Signature Trust Co., CN = DST Root CA X3
verify error:num=10:certificate has expired
notAfter=Sep 30 14:01:15 2021 GMT
verify return:0
depth=1 O = Digital Signature Trust Co., CN = DST Root CA X3
verify error:num=10:certificate has expired
notAfter=Sep 30 14:01:15 2021 GMT
verify return:0
depth=3 O = Digital Signature Trust Co., CN = DST Root CA X3
verify error:num=10:certificate has expired
notAfter=Sep 30 14:01:15 2021 GMT
verify return:0
---
Certificate chain
0 s:/CN=www.postgresql.org
i:/C=US/O=Let's Encrypt/CN=R3
1 s:/C=US/O=Let's Encrypt/CN=R3
i:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
2 s:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
i:/O=Digital Signature Trust Co./CN=DST Root CA X3
---
depth=1 O = Digital Signature Trust Co., CN = DST Root CA X3
verify error:num=10:certificate has expired
notAfter=Sep 30 14:01:15 2021 GMT
verify return:0
depth=1 O = Digital Signature Trust Co., CN = DST Root CA X3
verify error:num=10:certificate has expired
notAfter=Sep 30 14:01:15 2021 GMT
verify return:0
depth=3 O = Digital Signature Trust Co., CN = DST Root CA X3
verify error:num=10:certificate has expired
notAfter=Sep 30 14:01:15 2021 GMT
verify return:0
---
Certificate chain
0 s:/CN=www.postgresql.org
i:/C=US/O=Let's Encrypt/CN=R3
1 s:/C=US/O=Let's Encrypt/CN=R3
i:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
2 s:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
i:/O=Digital Signature Trust Co./CN=DST Root CA X3
---
On Wed, Nov 24, 2021 at 11:35 AM Jim Mlodgenski <jimmy76@gmail.com> wrote:
On Fri, Oct 8, 2021 at 11:42 AM Magnus Hagander <magnus@hagander.net> wrote:
>
> More to the point, your client needs a nudge. The certificate has not expired, but you are using a version of OpenSSL that's terribly out of date. All (or most at least? But I think all) non-EOL distros should do that by default if you just apply their updates. See for example https://letsencrypt.org/2021/10/01/cert-chaining-help.html and https://letsencrypt.org/docs/certificate-compatibility/
>
Thanks. I didn't notice the root cert expired last week. Updating
OpenSSL did the trick.
Edward Breen <ebreen@wexusapp.com> writes: > It appears the issue isn't fully resolved. I still see the expired root > certificate DST Root CA X3 with openssl: > % openssl s_client -connect www.postgresql.org:443 -servername > www.postgresql.org This did before, and still does, indicate either an obsolete system trust store or an obsolete OpenSSL version on your end. You need to make sure the "ISRG Root X1" cert is trusted by your machine, and you need to make sure you're running moderately recent OpenSSL (preferably > 1.0.2). If the latter is impractical, there are workarounds here: https://www.openssl.org/blog/blog/2021/09/13/LetsEncryptRootCertExpire/ regards, tom lane