[Interest] SSL & Let's Encrypt certificate expiration

Christophe Thomas oxygen77.ct at gmail.com
Tue Oct 5 20:45:23 CEST 2021


Hello,

For the cert chain we are currently using the default LE setting so we
currently provide the X1 Cross signed with expired X3.

Netherless, the issue is that strangely we need to force caCertificate load
in order to have the connexion accepted.

Regards,

Christophe

Le mar. 5 oct. 2021 à 19:58, ekke <ekke at ekkes-corner.org> a écrit :

> Please check if the certificate at server is correct created and uses ISRG
> Root X1 instead of DST Root CA X3
>
> ekke
>
> Am 05.10.21 um 19:29 schrieb maitai:
>
> Hi all,
>
> Since the Let's Encrypt root certificate expired, we have a few users
> unable to initiate a SSL connexion (most of them on recent Windows 10
> version, app built with qt 5.15.6, but also some linux cases). We are using
> OpenSSL 1.1.1.
>
> After some searches, we found out that the ca-certificates list is empty
> in that cases. In some Linux occurrences, the list becomes "loaded" after
> around 10 minutes, and all was fine until the user restarts the
> application. In some other cases waiting does nothing to fix the issue.
>
> I must say that most users are OK, it impacted only a few of them, and I
> was not able to find a common pattern like Windows version or so.
>
> What we did finally to fix it is to force the loading of CA-Certificates,
> that way, during the initialization of the application:
>
>      QSslConfiguration def = QSslConfiguration::defaultConfiguration();
>      def.setCaCertificates(QSslConfiguration::systemCaCertificates());
>      QSslConfiguration::setDefaultConfiguration(def);
>
> And then all is fine.
>
>
> I am still scratching my head about this though. Isn't it supposed to be
> useless to do that? Any insight on what is going on there will be
> appreciated.
>
> Thanks
> Philippe Lelong.
>
> _______________________________________________
> Interest mailing listInterest at qt-project.orghttps://lists.qt-project.org/listinfo/interest
>
>
> _______________________________________________
> Interest mailing list
> Interest at qt-project.org
> https://lists.qt-project.org/listinfo/interest
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.qt-project.org/pipermail/interest/attachments/20211005/782c6d23/attachment.html>


More information about the Interest mailing list