[Interest] SSL & Let's Encrypt certificate expiration
Hamish Moffatt
hamish at risingsoftware.com
Wed Oct 6 11:41:39 CEST 2021
On 6/10/21 20:02, Christophe Thomas wrote:
> Thank you for the hint, I found this link that talks about it:
> https://community.letsencrypt.org/t/isrg-root-lazy-loading-problem-missing-from-random-updated-windows-10-versions/141550/2
>
>
> We've also tested on an old linux (ubuntu 16),
>
> when trying to connect one test website, openssl is not finalizing the
> connection due to expired DST Root X3, and we can see that the chain is
> website cert => ISRG X1 root => DST Root X3
>
> doing the same test with our own software (that uses our own shipped
> lib for openssl) from scratch we fail and we can see we use the same
> chain as above.
>
> Third test still with our software but forcing loading the ca cert
> before first connexion (see first email from maitai =>
> def.setCaCertificates(QSslConfiguration::systemCaCertificates());)
> In this case we still have the same chain reported, but with DST Root
> X3 expire in 2024 and the connexion is OK
>
> Also on this device, we find the ISRG_Root_X3.pem that is expired.
We still support an old version of our app shipped with Qt 5.8 and
OpenSSL 1.0.1. This stopped working when the X3 root expired, as expected.
I upgraded to 1.0.2u and added the X1 root directly to Qt. Now the
application works. But the instructions from OpenSSL say to also remove
the X3 root which I'm not able to do (it's loaded from Windows), so I am
puzzled by why this works. I have not done anything special when
generating my certificates like requesting the alternate certificate chain.
I have Qt 5.15 (OpenSSL 1.1) applications deployed on Debian 10 and have
not had to do anything to keep that working.
Hamish
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.qt-project.org/pipermail/interest/attachments/20211006/4031215d/attachment.html>
More information about the Interest
mailing list