[Interest] SSL & Let's Encrypt certificate expiration

Thiago Macieira thiago.macieira at intel.com
Tue Oct 5 19:52:17 CEST 2021 

On Tuesday, 5 October 2021 10:29:09 PDT maitai wrote:
> Hi all,
> 
> Since the Let's Encrypt root certificate expired, we have a few users
> unable to initiate a SSL connexion (most of them on recent Windows 10
> version, app built with qt 5.15.6, but also some linux cases). We are
> using OpenSSL 1.1.1.

Being slightly pedantic for future reference: no Let's Encrypt CA certificate 
expired. What expired was one of the root certificates that signed Let's 
Encrypt. It's not the only certificate, so Let's Encrypt continues to be 
valid.

> After some searches, we found out that the ca-certificates list is empty
> in that cases. In some Linux occurrences, the list becomes "loaded"
> after around 10 minutes, and all was fine until the user restarts the
> application. In some other cases waiting does nothing to fix the issue.

We don't pre-load the CA certificate list and haven't done that for years. We 
rely on OpenSSL loading exactly the certificates it needs on its own.

> I am still scratching my head about this though. Isn't it supposed to be
> useless to do that? Any insight on what is going on there will be
> appreciated.

Needs investigation. I don't understand what's wrong either.

In my case, I noticed that one application on my Android phone was complaining 
of an expired certificate for my server. After debugging a lot, I found that 
my IMAP server (Cyrus) was including the expired certificate in the list of 
certificates it sent the client, but the SMTP and HTTPS servers weren't. So I 
worked to hack the OpenSSL certificate database so it wouldn't send it.

It didn't work. As far as I can tell, in this case, the client application 
found the expired signing certificate in its own database and decided to 
complain, despite having another path to a valid root certificate.

But this points to the possible problem: it might depend on whether the server 
is including this expired certificate in the connection negotiation or not. 
You can test with "openssl s_client -connect host:port -showcerts" and decode 
each one of the ones printed with "openssl x509 -text -noout" to see if the 
expired one is present or not.

-- 
Thiago Macieira - thiago.macieira (AT) intel.com
  Software Architect - Intel DPG Cloud Engineering

More information about the Interest mailing list