• let's encrypt certif problem

    From Ogg@VERT/CAPCITY2 to All on Monday, October 11, 2021 20:30:00
    It's been a few months since I last checked in on my nntp
    account with eternal-september, but TB is reporting that there
    is a certif problem:

    https://susepaste.org/24549546

    It seems to look fine in the sense that the dates are still
    good.

    But is there a way to update the certif and be able to log in?





    --- OpenXP 5.0.50
    * Origin: Ogg's Dovenet Point (723:320/1.9)
    ■ Synchronet ■ CAPCITY2 * capcity2.synchro.net * Telnet/SSH:2022/Rlogin/HTTP
  • From MRO@VERT/BBSESINF to Ogg on Monday, October 11, 2021 22:21:06
    Re: let's encrypt certif problem
    By: Ogg to All on Mon Oct 11 2021 08:30 pm

    It's been a few months since I last checked in on my nntp
    account with eternal-september, but TB is reporting that there
    is a certif problem:

    https://susepaste.org/24549546

    It seems to look fine in the sense that the dates are still
    good.

    But is there a way to update the certif and be able to log in?

    why dont you talk to their support and ask them.
    ---
    ■ Synchronet ■ ::: BBSES.info - free BBS services :::
  • From Arelor@VERT/PALANT to Ogg on Tuesday, October 12, 2021 08:02:40
    Re: let's encrypt certif problem
    By: Ogg to All on Mon Oct 11 2021 08:30 pm

    It's been a few months since I last checked in on my nntp
    account with eternal-september, but TB is reporting that there
    is a certif problem:

    https://susepaste.org/24549546

    It seems to look fine in the sense that the dates are still
    good.

    But is there a way to update the certif and be able to log in?

    Most likely this is due to the fact one of Let's Encrypt's certifiers has an expired cert.

    Maybe you can remove DST X3 from your trust chain (since it is expired) and add the self signed
    let's encrypt certificate from here:

    https://letsencrypt.org/certificates/

    More information about the issue here:

    https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/

    --
    gopher://gopher.richardfalken.com/1/richardfalken

    ---
    ■ Synchronet ■ Palantir BBS * palantirbbs.ddns.net * Pensacola, FL
  • From Ogg@VERT/CAPCITY2 to Arelor on Friday, October 15, 2021 22:16:00
    Hello Arelor!

    ** On Tuesday 12.10.21 - 08:02, Arelor wrote to Ogg:

    Maybe you can remove DST X3 from your trust chain (since it is expired)
    and add the self signed let's encrypt certificate from here:

    https://letsencrypt.org/certificates/

    More information about the issue here:

    https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/

    The info and reason is all good, but I need a step-by-step
    intruction on how to work with certifs. I downloaded what I
    though was a required replacement/updated certif [Cross-signed
    by DST Root CA X3] from one of the above links, but it prompted
    me for a password to proceed with the installation.

    Meanwhile, I learned that OpenXP doesn't care about any
    certifs, and I can fetch my eternal-september messages with
    that. I don't need to use TB at all. But it wold be nice to
    fix the certif problem.

    --- OpenXP 5.0.50
    * Origin: Ogg's Dovenet Point (723:320/1.9)
    ■ Synchronet ■ CAPCITY2 * capcity2.synchro.net * Telnet/SSH:2022/Rlogin/HTTP
  • From Arelor@VERT/PALANT to Ogg on Saturday, October 16, 2021 06:31:01
    Re: let's encrypt certif problem
    By: Ogg to Arelor on Fri Oct 15 2021 10:16 pm

    The info and reason is all good, but I need a step-by-step
    intruction on how to work with certifs. I downloaded what I
    though was a required replacement/updated certif [Cross-signed
    by DST Root CA X3] from one of the above links, but it prompted
    me for a password to proceed with the installation.

    Meanwhile, I learned that OpenXP doesn't care about any
    certifs, and I can fetch my eternal-september messages with
    that. I don't need to use TB at all. But it wold be nice to
    fix the certif problem.

    You need the self-signed certificate, not the cross-signed one, since the cross-signed one is using an old, expired trust chain.

    I am sure there are ten thousand guides floating around the internet regarding certificate updateing. Most Linux and BSDs around got the problem fixed via a regular update.

    --
    gopher://gopher.richardfalken.com/1/richardfalken

    ---
    ■ Synchronet ■ Palantir BBS * palantirbbs.ddns.net * Pensacola, FL
  • From Ogg@VERT/CAPCITY2 to Arelor on Saturday, October 16, 2021 19:51:00
    Hello Arelor!

    ** On Saturday 16.10.21 - 06:31, Arelor wrote to Ogg:

    You need the self-signed certificate, not the cross-signed
    one, since the cross-signed one is using an old, expired
    trust chain.


    I installed both self0signed ones, and I did that in XP and TB.

    Still doesn't work.


    I am sure there are ten thousand guides floating around the internet regarding certificate updateing. Most Linux and BSDs around got the
    problem fixed via a regular update.

    I know how to go through the "install certif" process in XP and
    TB. But, these marked "==>" are not making any difference:

    Active

    ISRG Root X1 (RSA 4096, O = Internet Security Research Group, CN = ISRG Root X1)
    Self-signed: der, pem, txt

    Active, limited availability

    ISRG Root X2 (ECDSA P-384, O = Internet Security Research Group, CN = ISRG Root X2)
    Self-signed: der, pem, txt



    --- OpenXP 5.0.50
    * Origin: Ogg's Dovenet Point (723:320/1.9)
    ■ Synchronet ■ CAPCITY2 * capcity2.synchro.net * Telnet/SSH:2022/Rlogin/HTTP
  • From Arelor@VERT/PALANT to Ogg on Sunday, October 17, 2021 05:55:56
    Re: let's encrypt certif problem
    By: Ogg to Arelor on Sat Oct 16 2021 07:51 pm

    Hello Arelor!

    ** On Saturday 16.10.21 - 06:31, Arelor wrote to Ogg:

    You need the self-signed certificate, not the cross-signed
    one, since the cross-signed one is using an old, expired
    trust chain.


    I installed both self0signed ones, and I did that in XP and TB.

    Still doesn't work.


    I am sure there are ten thousand guides floating around the internet regarding certificate updateing. Most Linux and BSDs around got the problem fixed via a regular update.

    I know how to go through the "install certif" process in XP and
    TB. But, these marked "==>" are not making any difference:

    Active

    ISRG Root X1 (RSA 4096, O = Internet Security Research Group, CN = ISRG Root X1)
    Self-signed: der, pem, txt

    Active, limited availability

    ISRG Root X2 (ECDSA P-384, O = Internet Security Research Group, CN = IS Root X2)
    Self-signed: der, pem, txt

    You also have to manually remove the expired DST X3 one.

    --
    gopher://gopher.richardfalken.com/1/richardfalken

    ---
    ■ Synchronet ■ Palantir BBS * palantirbbs.ddns.net * Pensacola, FL
  • From Ogg@VERT/CAPCITY2 to Arelor on Sunday, October 17, 2021 08:51:00
    Hello Arelor!

    ** On Saturday 16.10.21 - 06:31, Arelor wrote to Ogg:

    You need the self-signed certificate, not the cross-signed
    one, since the cross-signed one is using an old, expired
    trust chain.

    Just a little followup.. I tried their "test" links below:

    ISRG Root X1
    Valid <== this one worked OK
    Revoked <== this one loaded properly with "revoked"
    Expired <== this wouldn't load.

    ISRG Root X2
    Valid <== this one worked OK
    Revoked <== this one loaded with a "revoked" page.
    Expired <== this one wouldn't load.


    So.. the certifs are probably installed fine in system/browser
    program?

    Now, only TB's mail system is still complaining about
    invalidity. :(


    --- OpenXP 5.0.50
    * Origin: Ogg's Dovenet Point (723:320/1.9)
    ■ Synchronet ■ CAPCITY2 * capcity2.synchro.net * Telnet/SSH:2022/Rlogin/HTTP
  • From Arelor@VERT/PALANT to Ogg on Sunday, October 17, 2021 12:09:16
    Re: let's encrypt certif problem
    By: Ogg to Arelor on Sun Oct 17 2021 08:51 am

    Hello Arelor!

    ** On Saturday 16.10.21 - 06:31, Arelor wrote to Ogg:

    You need the self-signed certificate, not the cross-signed
    one, since the cross-signed one is using an old, expired
    trust chain.

    Just a little followup.. I tried their "test" links below:

    ISRG Root X1
    Valid <== this one worked OK
    Revoked <== this one loaded properly with "revoked"
    Expired <== this wouldn't load.

    ISRG Root X2
    Valid <== this one worked OK
    Revoked <== this one loaded with a "revoked" page.
    Expired <== this one wouldn't load.


    So.. the certifs are probably installed fine in system/browser
    program?

    Now, only TB's mail system is still complaining about
    invalidity. :(

    Thunderbird and Firefox have their own certificate databases. They don't use the system's.

    --
    gopher://gopher.richardfalken.com/1/richardfalken

    ---
    ■ Synchronet ■ Palantir BBS * palantirbbs.ddns.net * Pensacola, FL
  • From Ogg@VERT/CAPCITY2 to Arelor on Monday, October 18, 2021 19:35:00
    Hello Arelor!

    ** On Sunday 17.10.21 - 05:55, Arelor wrote to Ogg:

    You also have to manually remove the expired DST X3 one.


    Ah.. That I haven't done.

    But I didn't see any "LetsEncrypt" certifs in the list of
    certifs.


    --- OpenXP 5.0.50
    * Origin: Ogg's Dovenet Point (723:320/1.9)
    ■ Synchronet ■ CAPCITY2 * capcity2.synchro.net * Telnet/SSH:2022/Rlogin/HTTP
  • From Arelor@VERT/PALANT to Ogg on Tuesday, October 19, 2021 03:23:54
    Re: let's encrypt certif problem
    By: Ogg to Arelor on Mon Oct 18 2021 07:35 pm

    Hello Arelor!

    ** On Sunday 17.10.21 - 05:55, Arelor wrote to Ogg:

    You also have to manually remove the expired DST X3 one.


    Ah.. That I haven't done.

    But I didn't see any "LetsEncrypt" certifs in the list of
    certifs.

    Because it is not a Let's Encrypt certificate. It is an Internet Security Research Group certificate. Internet Security Research Group are the owners of Let's Encrypt.

    --
    gopher://gopher.richardfalken.com/1/richardfalken

    ---
    ■ Synchronet ■ Palantir BBS * palantirbbs.ddns.net * Pensacola, FL