Postgres Pro
Downloads
Home   >   mailing lists

Thread: Certificate expired

Certificate expired

From
Sylvie Greverend
Date:

I am trying to install postgresql on a new server [ CentOS Linux release 7.3.1611 (Core) ]. I have a certificate expired

I had previously installed on other centos servers [same version]

 

I posted an error on centos https://bugs.centos.org/view.php?id=18580. But they sent me back to [postgresql

 

Thank you very much for your help

 

On new server

openssl s_client -connect download.postgresql.org:443 -servername download.postgresql.org | openssl x509 -dates -noout

depth=3 O = Digital Signature Trust Co., CN = DST Root CA X3

verify error:num=10:certificate has expired

notAfter=Sep 30 14:01:15 2021 GMT

notBefore=Feb 18 09:08:35 2023 GMT

notAfter=May 19 09:08:34 2023 GMT

 

date

Wed Mar 15 13:37:56 EDT 2023

 

On a server previously installed

openssl s_client -connect download.postgresql.org:443 -servername download.postgresql.org | openssl x509 -dates -noout

depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1

verify return:1

depth=1 C = US, O = Let's Encrypt, CN = R3

verify return:1

depth=0 CN = ftp.postgresql.org

verify return:1

notBefore=Jan 30 21:08:05 2023 GMT

notAfter=Apr 30 21:08:04 2023 GMT

 

date

Wed Mar 15 13:40:30 EDT 2023

 

Re: Certificate expired

From
Magnus Hagander
Date:


On Wed, Mar 15, 2023 at 7:25 PM Sylvie Greverend <SGreverend@harriscomputer.com> wrote:

I am trying to install postgresql on a new server [ CentOS Linux release 7.3.1611 (Core) ]. I have a certificate expired

I had previously installed on other centos servers [same version]

 

I posted an error on centos https://bugs.centos.org/view.php?id=18580. But they sent me back to [postgresql

 

Thank you very much for your help

 

On new server

openssl s_client -connect download.postgresql.org:443 -servername download.postgresql.org | openssl x509 -dates -noout

depth=3 O = Digital Signature Trust Co., CN = DST Root CA X3

verify error:num=10:certificate has expired

notAfter=Sep 30 14:01:15 2021 GMT

notBefore=Feb 18 09:08:35 2023 GMT

notAfter=May 19 09:08:34 2023 GMT

 

date

Wed Mar 15 13:37:56 EDT 2023

 

On a server previously installed

openssl s_client -connect download.postgresql.org:443 -servername download.postgresql.org | openssl x509 -dates -noout

depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1

verify return:1

depth=1 C = US, O = Let's Encrypt, CN = R3

verify return:1

depth=0 CN = ftp.postgresql.org

verify return:1

notBefore=Jan 30 21:08:05 2023 GMT

notAfter=Apr 30 21:08:04 2023 GMT

 

date

Wed Mar 15 13:40:30 EDT 2023

 


This looks like the machine is picking up the old letsencrypt root. This is normally fixed if you ensure your ca-certificates package is up to date. What version of that package are you running with, and have you installed all available updates to that and openssl? Your command output is consistent with a machine that's not properly updated.

(You'll note that your reference from the centos page also says there appears to be nothing wrong with the servers..)

//Magnus

Re:Certificate expired

From
Sergei Kornilov
Date:
Hello
I'm pretty sure you haven't updated your ca-certificates for at least a few years. This was a known story in early
October2021.
 

for example, https://blog.devgenius.io/rhel-centos-7-fix-for-lets-encrypt-change-8af2de587fe4

regards, Sergei