1. Forum
  2. DOVE-Net
  3. Internet

  • let's encrypt certif problem

    From Ogg@VERT/CAPCITY2 to Arelor on Friday, October 15, 2021 22:16:00
    Hello Arelor!

    ** On Tuesday 12.10.21 - 08:02, Arelor wrote to Ogg:

    Maybe you can remove DST X3 from your trust chain (since it is expired)
    and add the self signed let's encrypt certificate from here:

    https://letsencrypt.org/certificates/

    More information about the issue here:

    https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/

    The info and reason is all good, but I need a step-by-step
    intruction on how to work with certifs. I downloaded what I
    though was a required replacement/updated certif [Cross-signed
    by DST Root CA X3] from one of the above links, but it prompted
    me for a password to proceed with the installation.

    Meanwhile, I learned that OpenXP doesn't care about any
    certifs, and I can fetch my eternal-september messages with
    that. I don't need to use TB at all. But it wold be nice to
    fix the certif problem.

    --- OpenXP 5.0.50
    * Origin: Ogg's Dovenet Point (723:320/1.9)
    þ Synchronet þ CAPCITY2 * capcity2.synchro.net * Telnet/SSH:2022/Rlogin/HTTP
  • From Arelor@VERT/PALANT to Ogg on Saturday, October 16, 2021 06:31:01
    Re: let's encrypt certif problem
    By: Ogg to Arelor on Fri Oct 15 2021 10:16 pm

    The info and reason is all good, but I need a step-by-step
    intruction on how to work with certifs. I downloaded what I
    though was a required replacement/updated certif [Cross-signed
    by DST Root CA X3] from one of the above links, but it prompted
    me for a password to proceed with the installation.

    Meanwhile, I learned that OpenXP doesn't care about any
    certifs, and I can fetch my eternal-september messages with
    that. I don't need to use TB at all. But it wold be nice to
    fix the certif problem.

    You need the self-signed certificate, not the cross-signed one, since the cross-signed one is using an old, expired trust chain.

    I am sure there are ten thousand guides floating around the internet regarding certificate updateing. Most Linux and BSDs around got the problem fixed via a regular update.

    --
    gopher://gopher.richardfalken.com/1/richardfalken

    ---
    þ Synchronet þ Palantir BBS * palantirbbs.ddns.net * Pensacola, FL
  • From Ogg@VERT/CAPCITY2 to Arelor on Saturday, October 16, 2021 19:51:00
    Hello Arelor!

    ** On Saturday 16.10.21 - 06:31, Arelor wrote to Ogg:

    You need the self-signed certificate, not the cross-signed
    one, since the cross-signed one is using an old, expired
    trust chain.


    I installed both self0signed ones, and I did that in XP and TB.

    Still doesn't work.


    I am sure there are ten thousand guides floating around the internet regarding certificate updateing. Most Linux and BSDs around got the
    problem fixed via a regular update.

    I know how to go through the "install certif" process in XP and
    TB. But, these marked "==>" are not making any difference:

    Active

    ISRG Root X1 (RSA 4096, O = Internet Security Research Group, CN = ISRG Root X1)
    Self-signed: der, pem, txt

    Active, limited availability

    ISRG Root X2 (ECDSA P-384, O = Internet Security Research Group, CN = ISRG Root X2)
    Self-signed: der, pem, txt



    --- OpenXP 5.0.50
    * Origin: Ogg's Dovenet Point (723:320/1.9)
    þ Synchronet þ CAPCITY2 * capcity2.synchro.net * Telnet/SSH:2022/Rlogin/HTTP
  • From Arelor@VERT/PALANT to Ogg on Sunday, October 17, 2021 05:55:56
    Re: let's encrypt certif problem
    By: Ogg to Arelor on Sat Oct 16 2021 07:51 pm

    Hello Arelor!

    ** On Saturday 16.10.21 - 06:31, Arelor wrote to Ogg:

    You need the self-signed certificate, not the cross-signed
    one, since the cross-signed one is using an old, expired
    trust chain.


    I installed both self0signed ones, and I did that in XP and TB.

    Still doesn't work.


    I am sure there are ten thousand guides floating around the internet regarding certificate updateing. Most Linux and BSDs around got the problem fixed via a regular update.

    I know how to go through the "install certif" process in XP and
    TB. But, these marked "==>" are not making any difference:

    Active

    ISRG Root X1 (RSA 4096, O = Internet Security Research Group, CN = ISRG Root X1)
    Self-signed: der, pem, txt

    Active, limited availability

    ISRG Root X2 (ECDSA P-384, O = Internet Security Research Group, CN = IS Root X2)
    Self-signed: der, pem, txt

    You also have to manually remove the expired DST X3 one.

    --
    gopher://gopher.richardfalken.com/1/richardfalken

    ---
    þ Synchronet þ Palantir BBS * palantirbbs.ddns.net * Pensacola, FL
  • From Ogg@VERT/CAPCITY2 to Arelor on Sunday, October 17, 2021 08:51:00
    Hello Arelor!

    ** On Saturday 16.10.21 - 06:31, Arelor wrote to Ogg:

    You need the self-signed certificate, not the cross-signed
    one, since the cross-signed one is using an old, expired
    trust chain.

    Just a little followup.. I tried their "test" links below:

    ISRG Root X1
    Valid <== this one worked OK
    Revoked <== this one loaded properly with "revoked"
    Expired <== this wouldn't load.

    ISRG Root X2
    Valid <== this one worked OK
    Revoked <== this one loaded with a "revoked" page.
    Expired <== this one wouldn't load.


    So.. the certifs are probably installed fine in system/browser
    program?

    Now, only TB's mail system is still complaining about
    invalidity. :(


    --- OpenXP 5.0.50
    * Origin: Ogg's Dovenet Point (723:320/1.9)
    þ Synchronet þ CAPCITY2 * capcity2.synchro.net * Telnet/SSH:2022/Rlogin/HTTP
  • From Arelor@VERT/PALANT to Ogg on Sunday, October 17, 2021 12:09:16
    Re: let's encrypt certif problem
    By: Ogg to Arelor on Sun Oct 17 2021 08:51 am

    Hello Arelor!

    ** On Saturday 16.10.21 - 06:31, Arelor wrote to Ogg:

    You need the self-signed certificate, not the cross-signed
    one, since the cross-signed one is using an old, expired
    trust chain.

    Just a little followup.. I tried their "test" links below:

    ISRG Root X1
    Valid <== this one worked OK
    Revoked <== this one loaded properly with "revoked"
    Expired <== this wouldn't load.

    ISRG Root X2
    Valid <== this one worked OK
    Revoked <== this one loaded with a "revoked" page.
    Expired <== this one wouldn't load.


    So.. the certifs are probably installed fine in system/browser
    program?

    Now, only TB's mail system is still complaining about
    invalidity. :(

    Thunderbird and Firefox have their own certificate databases. They don't use the system's.

    --
    gopher://gopher.richardfalken.com/1/richardfalken

    ---
    þ Synchronet þ Palantir BBS * palantirbbs.ddns.net * Pensacola, FL
  • From Ogg@VERT/CAPCITY2 to Arelor on Monday, October 18, 2021 19:35:00
    Hello Arelor!

    ** On Sunday 17.10.21 - 05:55, Arelor wrote to Ogg:

    You also have to manually remove the expired DST X3 one.


    Ah.. That I haven't done.

    But I didn't see any "LetsEncrypt" certifs in the list of
    certifs.


    --- OpenXP 5.0.50
    * Origin: Ogg's Dovenet Point (723:320/1.9)
    þ Synchronet þ CAPCITY2 * capcity2.synchro.net * Telnet/SSH:2022/Rlogin/HTTP
  • From Arelor@VERT/PALANT to Ogg on Tuesday, October 19, 2021 03:23:54
    Re: let's encrypt certif problem
    By: Ogg to Arelor on Mon Oct 18 2021 07:35 pm

    Hello Arelor!

    ** On Sunday 17.10.21 - 05:55, Arelor wrote to Ogg:

    You also have to manually remove the expired DST X3 one.


    Ah.. That I haven't done.

    But I didn't see any "LetsEncrypt" certifs in the list of
    certifs.

    Because it is not a Let's Encrypt certificate. It is an Internet Security Research Group certificate. Internet Security Research Group are the owners of Let's Encrypt.

    --
    gopher://gopher.richardfalken.com/1/richardfalken

    ---
    þ Synchronet þ Palantir BBS * palantirbbs.ddns.net * Pensacola, FL