• let's encrypt certif problem

    From Ogg@VERT/CAPCITY2 to All on Mon Oct 11 20:30:00 2021
    It's been a few months since I last checked in on my nntp
    account with eternal-september, but TB is reporting that there
    is a certif problem:

    https://susepaste.org/24549546

    It seems to look fine in the sense that the dates are still
    good.

    But is there a way to update the certif and be able to log in?





    --- OpenXP 5.0.50
    * Origin: Ogg's Dovenet Point (723:320/1.9)
    ■ Synchronet ■ CAPCITY2 * capcity2.synchro.net * Telnet/SSH:2022/Rlogin/HTTP
  • From Arelor@VERT/PALANT to Ogg on Tue Oct 12 08:02:40 2021
    Re: let's encrypt certif problem
    By: Ogg to All on Mon Oct 11 2021 08:30 pm

    It's been a few months since I last checked in on my nntp
    account with eternal-september, but TB is reporting that there
    is a certif problem:

    https://susepaste.org/24549546

    It seems to look fine in the sense that the dates are still
    good.

    But is there a way to update the certif and be able to log in?

    Most likely this is due to the fact one of Let's Encrypt's certifiers has an expired cert.

    Maybe you can remove DST X3 from your trust chain (since it is expired) and add the self signed
    let's encrypt certificate from here:

    https://letsencrypt.org/certificates/

    More information about the issue here:

    https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/

    --
    gopher://gopher.richardfalken.com/1/richardfalken

    ---
    ■ Synchronet ■ Palantir BBS * palantirbbs.ddns.net * Pensacola, FL
  • From Ogg@VERT/CAPCITY2 to Arelor on Fri Oct 15 22:16:00 2021
    Hello Arelor!

    ** On Tuesday 12.10.21 - 08:02, Arelor wrote to Ogg:

    Maybe you can remove DST X3 from your trust chain (since it is expired)
    and add the self signed let's encrypt certificate from here:

    https://letsencrypt.org/certificates/

    More information about the issue here:

    https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/

    The info and reason is all good, but I need a step-by-step
    intruction on how to work with certifs. I downloaded what I
    though was a required replacement/updated certif [Cross-signed
    by DST Root CA X3] from one of the above links, but it prompted
    me for a password to proceed with the installation.

    Meanwhile, I learned that OpenXP doesn't care about any
    certifs, and I can fetch my eternal-september messages with
    that. I don't need to use TB at all. But it wold be nice to
    fix the certif problem.

    --- OpenXP 5.0.50
    * Origin: Ogg's Dovenet Point (723:320/1.9)
    ■ Synchronet ■ CAPCITY2 * capcity2.synchro.net * Telnet/SSH:2022/Rlogin/HTTP
  • From Arelor@VERT/PALANT to Ogg on Sat Oct 16 06:31:01 2021
    Re: let's encrypt certif problem
    By: Ogg to Arelor on Fri Oct 15 2021 10:16 pm

    The info and reason is all good, but I need a step-by-step
    intruction on how to work with certifs. I downloaded what I
    though was a required replacement/updated certif [Cross-signed
    by DST Root CA X3] from one of the above links, but it prompted
    me for a password to proceed with the installation.

    Meanwhile, I learned that OpenXP doesn't care about any
    certifs, and I can fetch my eternal-september messages with
    that. I don't need to use TB at all. But it wold be nice to
    fix the certif problem.

    You need the self-signed certificate, not the cross-signed one, since the cross-signed one is using an old, expired trust chain.

    I am sure there are ten thousand guides floating around the internet regarding certificate updateing. Most Linux and BSDs around got the problem fixed via a regular update.

    --
    gopher://gopher.richardfalken.com/1/richardfalken

    ---
    ■ Synchronet ■ Palantir BBS * palantirbbs.ddns.net * Pensacola, FL
  • From Ogg@VERT/CAPCITY2 to Arelor on Sat Oct 16 19:51:00 2021
    Hello Arelor!

    ** On Saturday 16.10.21 - 06:31, Arelor wrote to Ogg:

    You need the self-signed certificate, not the cross-signed
    one, since the cross-signed one is using an old, expired
    trust chain.


    I installed both self0signed ones, and I did that in XP and TB.

    Still doesn't work.


    I am sure there are ten thousand guides floating around the internet regarding certificate updateing. Most Linux and BSDs around got the
    problem fixed via a regular update.

    I know how to go through the "install certif" process in XP and
    TB. But, these marked "==>" are not making any difference:

    Active

    ISRG Root X1 (RSA 4096, O = Internet Security Research Group, CN = ISRG Root X1)
    Self-signed: der, pem, txt

    Active, limited availability

    ISRG Root X2 (ECDSA P-384, O = Internet Security Research Group, CN = ISRG Root X2)
    Self-signed: der, pem, txt



    --- OpenXP 5.0.50
    * Origin: Ogg's Dovenet Point (723:320/1.9)
    ■ Synchronet ■ CAPCITY2 * capcity2.synchro.net * Telnet/SSH:2022/Rlogin/HTTP
  • From Arelor@VERT/PALANT to Ogg on Sun Oct 17 05:55:56 2021
    Re: let's encrypt certif problem
    By: Ogg to Arelor on Sat Oct 16 2021 07:51 pm

    Hello Arelor!

    ** On Saturday 16.10.21 - 06:31, Arelor wrote to Ogg:

    You need the self-signed certificate, not the cross-signed
    one, since the cross-signed one is using an old, expired
    trust chain.


    I installed both self0signed ones, and I did that in XP and TB.

    Still doesn't work.


    I am sure there are ten thousand guides floating around the internet regarding certificate updateing. Most Linux and BSDs around got the problem fixed via a regular update.

    I know how to go through the "install certif" process in XP and
    TB. But, these marked "==>" are not making any difference:

    Active

    ISRG Root X1 (RSA 4096, O = Internet Security Research Group, CN = ISRG Root X1)
    Self-signed: der, pem, txt

    Active, limited availability

    ISRG Root X2 (ECDSA P-384, O = Internet Security Research Group, CN = IS Root X2)
    Self-signed: der, pem, txt

    You also have to manually remove the expired DST X3 one.

    --
    gopher://gopher.richardfalken.com/1/richardfalken

    ---
    ■ Synchronet ■ Palantir BBS * palantirbbs.ddns.net * Pensacola, FL
  • From Ogg@VERT/CAPCITY2 to Arelor on Sun Oct 17 08:51:00 2021
    Hello Arelor!

    ** On Saturday 16.10.21 - 06:31, Arelor wrote to Ogg:

    You need the self-signed certificate, not the cross-signed
    one, since the cross-signed one is using an old, expired
    trust chain.

    Just a little followup.. I tried their "test" links below:

    ISRG Root X1
    Valid <== this one worked OK
    Revoked <== this one loaded properly with "revoked"
    Expired <== this wouldn't load.

    ISRG Root X2
    Valid <== this one worked OK
    Revoked <== this one loaded with a "revoked" page.
    Expired <== this one wouldn't load.


    So.. the certifs are probably installed fine in system/browser
    program?

    Now, only TB's mail system is still complaining about
    invalidity. :(


    --- OpenXP 5.0.50
    * Origin: Ogg's Dovenet Point (723:320/1.9)
    ■ Synchronet ■ CAPCITY2 * capcity2.synchro.net * Telnet/SSH:2022/Rlogin/HTTP
  • From Arelor@VERT/PALANT to Ogg on Sun Oct 17 12:09:16 2021
    Re: let's encrypt certif problem
    By: Ogg to Arelor on Sun Oct 17 2021 08:51 am

    Hello Arelor!

    ** On Saturday 16.10.21 - 06:31, Arelor wrote to Ogg:

    You need the self-signed certificate, not the cross-signed
    one, since the cross-signed one is using an old, expired
    trust chain.

    Just a little followup.. I tried their "test" links below:

    ISRG Root X1
    Valid <== this one worked OK
    Revoked <== this one loaded properly with "revoked"
    Expired <== this wouldn't load.

    ISRG Root X2
    Valid <== this one worked OK
    Revoked <== this one loaded with a "revoked" page.
    Expired <== this one wouldn't load.


    So.. the certifs are probably installed fine in system/browser
    program?

    Now, only TB's mail system is still complaining about
    invalidity. :(

    Thunderbird and Firefox have their own certificate databases. They don't use the system's.

    --
    gopher://gopher.richardfalken.com/1/richardfalken

    ---
    ■ Synchronet ■ Palantir BBS * palantirbbs.ddns.net * Pensacola, FL
  • From Ogg@VERT/CAPCITY2 to Arelor on Mon Oct 18 19:35:00 2021
    Hello Arelor!

    ** On Sunday 17.10.21 - 05:55, Arelor wrote to Ogg:

    You also have to manually remove the expired DST X3 one.


    Ah.. That I haven't done.

    But I didn't see any "LetsEncrypt" certifs in the list of
    certifs.


    --- OpenXP 5.0.50
    * Origin: Ogg's Dovenet Point (723:320/1.9)
    ■ Synchronet ■ CAPCITY2 * capcity2.synchro.net * Telnet/SSH:2022/Rlogin/HTTP
  • From Arelor@VERT/PALANT to Ogg on Tue Oct 19 03:23:54 2021
    Re: let's encrypt certif problem
    By: Ogg to Arelor on Mon Oct 18 2021 07:35 pm

    Hello Arelor!

    ** On Sunday 17.10.21 - 05:55, Arelor wrote to Ogg:

    You also have to manually remove the expired DST X3 one.


    Ah.. That I haven't done.

    But I didn't see any "LetsEncrypt" certifs in the list of
    certifs.

    Because it is not a Let's Encrypt certificate. It is an Internet Security Research Group certificate. Internet Security Research Group are the owners of Let's Encrypt.

    --
    gopher://gopher.richardfalken.com/1/richardfalken

    ---
    ■ Synchronet ■ Palantir BBS * palantirbbs.ddns.net * Pensacola, FL