[Interest] SSL & Let's Encrypt certificate expiration
ekke
ekke at ekkes-corner.org
Tue Oct 5 19:54:55 CEST 2021
Please check if the certificate at server is correct created and uses
ISRG Root X1 instead of DST Root CA X3
ekke
Am 05.10.21 um 19:29 schrieb maitai:
> Hi all,
>
> Since the Let's Encrypt root certificate expired, we have a few users
> unable to initiate a SSL connexion (most of them on recent Windows 10
> version, app built with qt 5.15.6, but also some linux cases). We are
> using OpenSSL 1.1.1.
>
> After some searches, we found out that the ca-certificates list is
> empty in that cases. In some Linux occurrences, the list becomes
> "loaded" after around 10 minutes, and all was fine until the user
> restarts the application. In some other cases waiting does nothing to
> fix the issue.
>
> I must say that most users are OK, it impacted only a few of them, and
> I was not able to find a common pattern like Windows version or so.
>
> What we did finally to fix it is to force the loading of
> CA-Certificates, that way, during the initialization of the application:
>
> QSslConfiguration def = QSslConfiguration::defaultConfiguration();
> def.setCaCertificates(QSslConfiguration::systemCaCertificates());
> QSslConfiguration::setDefaultConfiguration(def);
>
> And then all is fine.
> I am still scratching my head about this though. Isn't it supposed to
> be useless to do that? Any insight on what is going on there will be
> appreciated.
> Thanks
> Philippe Lelong.
>
> _______________________________________________
> Interest mailing list
> Interest at qt-project.org
> https://lists.qt-project.org/listinfo/interest
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.qt-project.org/pipermail/interest/attachments/20211005/7cb4424a/attachment.html>
More information about the Interest
mailing list