Chris Bennett(cpb_misc@bennettconstruction.us) on 2021.09.30 10:02:17 -0700:
> Hi,
>
> I'm getting that the certs are expired, but https works fine in Firefox,
> including when looking at the full chain.
>
>
> openssl s_client -servername mail.strengthcouragewisdom.rocks -connect mail.strengthcouragewisdom.rocks:imaps
>
> openssl s_client -servername mail.strengthcouragewisdom.rocks -connect mail.strengthcouragewisdom.rocks:https
>
> However are not happy. I force updated my ssl certs, syspatch, pkg_add
> -u and rebooted.
>
> I didn't rebuild dh.pem for dovecot.
>
> Is this just a DNS propagation issue?
> Or should I do something further myself?
This is an issue with an expired root/intermediate certificate (DST Root X3)
in use by Let's Encrypt.
Stuart Henderson (sthen@) summarized it like this:
LibreSSL in OpenBSD 6.9/earlier is having problems with the expiry of a
CA certificate used to cross-sign Let's Encrypt certs.
LE decided not to switch to using their own root fully, rather they
are continuing to use the expired cross-signer to increase compatibility
with old Android devices, which is tickling this problem.
https://letsencrypt.org/2020/12/21/extending-android-compatibility.html
An errata has just been published, you can install it using syspatch.
Best,
Benno
No comments:
Post a Comment