Certificate expired??

cbiweb

I am suddenly getting this error message when trying receive email:

TLS handshake failure. Invalid server certificate (This certificate has expired).

I had checked my email 5 minutes previously, and it was fine. What happened in the past 5 minutes??

Edit: this is happening with both of my domains - cbiweb.com and musicianaire.ca.

sean

cbiweb the certificates on the incoming mail servers do not expire until December 3.

Does the error message you're seeing include all of the details regarding the server and the certificate? If so then can you please screenshot that and email it to support @ opalstack.com?

cbiweb

sean nope.... can't send either. Same error message.

I relaunched my email client to see if that fixes it, but no go.

Edit: just sent you an email from my protonmail.com address.

sean

Looks like this is related to the Let's Encrypt root cert expiry: https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/ - but we've already covered the bases for that. We're going over our setup now to find out where the problem is.

aa11

Hi,

Last week this got a personal computer of mine that's using a fairly old operating system. Basically 1/2 of the Internet stopped working 😱, including my Opalstack sites that have https enabled.

Long story short, I figured out a way to manually install and trust the ISRG Root X1 Root Certificate that Let's Encrypt now uses in place of the now-expired IdentTrust DST Root CA X3.

sean Looks like this is related to the Let's Encrypt root cert expiry: https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/ - but we've already covered the bases for that. We're going over our setup now to find out where the problem is.

I assume this root certificate switch is (at least partially) what you meant by this reply.

The thing is, my OS https sites are going to continue to be broken for anyone that hasn't installed & trusted the "ISRG Root X1" cert.

I was wondering if there is anything that can be done, server-side, to mitigate this, which still respecting the new LE root certificate.

I did some research and found the following:

https://community.letsencrypt.org/t/users-of-older-android-and-windows-7-not-able-to-access-website/161557/15

https://poshac.me/docs/v4/Guides/Using-Alternate-Trust-Chains/#serving-the-alternate-chain-from-windows

I don't know enough to know whether this applies to OS, and even if it does, if it's possible for you to implement. This seems to be for servers and not clients. But maybe I've misread it.

What do you think @sean?

Thanks!

sean

Should be working now.

cbiweb

sean unfortunately not. Is there anything I need to do on my end? Reboot or whatever? I'm using a POP3 client (TheBat). Not sure if I need to reset or tweak any of the email settings?

sean

cbiweb which version of TheBat? If it's very old then you might have to upgrade the client.

A reboot may or may not help, it certainly won't hurt.

cbiweb

sean 9.3.4, which is the latest as far as I know.
Edit: actually I just checked, and upgraded to 9.4.4, but the issue remains.

cbiweb

sean issue still exists for me. I can get into Webmail, but POP3 still won't work. Should I try another POP3 client? Thunderbird perhaps?

sean

cbiweb Yes, please let me know if you notice the problem in a different client.

What operating system and version are you using?

cbiweb

sean

Windows 10 Home x64
v20H2
OS Build 19042.1237
Basically the latest updated Win10.

No weird config or anything, I don't get kinky with my machines, LOL.

I'll set up one of my email accounts in latest version of Thunderbird in the next few minutes and get back to you.

cbiweb

sean Well this is both good and bad.

I set up one of my email accounts in Tbird, and it works! That's the good part.
The bad part is apparently I need to contact TheBat and tell them their client isn't accepting the certificate? And getting them to actually do something about it is like pulling teeth.

The other bad part is I might have to switch everything over to Tbird, which will be an unwanted (unnecessary) huge project.

sean

cbiweb yes, I'm afraid you'll need to contact your mail client provider to find out why their latest software isn't working with a valid SSL certificate.

cbiweb

sean I had to add the certificate to TheBat myself. Job done, all is well. Thanks for the help! 🙂

sean

cbiweb Awesome, glad you were able to sort that out!

sean

aa11 There's nothing we can do on our end to fix this. The LE root certificate is completely outside of our control.

If your freely-provided LE certificates aren't working for your site visitors then you'll need to purchase a SSL certificate from a commercial provider and install that as a manual certificate.

aa11

sean

Understood.

Those posts I linked to seem like good leads, since they provide instructions for using "Alternate Trust Chains". They don't have anything to do with controlling LE.

The ACME protocol allows for a CA to offer alternate trust chains in order to accommodate the natural lifecycle of Root and Issuing certificates. As of this writing, the only public ACME CA that currently offers alternate trust chains is Let's Encrypt. But the instructions in this guide should work for any ACME CA.

Let's Encrypt Options

To understand why Let's Encrypt is offering multiple trust chains and why you as a site/service operator would choose one or the other, it is helpful to read the following posts [...]

Via:
https://poshac.me/docs/v4/Guides/Using-Alternate-Trust-Chains/#serving-the-alternate-chain-from-windows

Just to make sure:
Alternate trust chains are not something your going to be offering on OS?

Thanks.

sean

aa11 I don't think that's a viable option for us but I'll check with our sysadmins and will follow up here when I have more info.

aa11

sean I don't think that's a viable option for us but I'll check with our sysadmins and will follow up here when I have more info.

Yeah, I figured it would be tricky on a shared system.

Thank you!!

aa11

aa11 sean I don't think that's a viable option for us but I'll check with our sysadmins and will follow up here when I have more info.

Any updates on this?

Thanks.