Problems with sites using Let's Encrypt certificates

James Cook falsifian at falsifian.org
Wed Oct 13 17:40:11 PDT 2021


> I remain puzzled, however, why the mirror-master.dragonflybsd.org site
> could have had an expired Web certificate for the last two weeks
> without manual repair and reports on this list that first appeared on
> 30-Sep-2021, the day the certificate expired.

This sounds like a known issue with LetsEncrypt and dfly 6.0.0's
version of LibreSSL.

Assuming that's the case, here's a summary:

- No, the certificate is not out of date.

- Your client doesn't like the certificate chain presented by the
  server because the last certificate in the chain has expired.

- Most clients (including newer versions of LibreSSL) accept the chain
  because the second-last certificate in a chain is actually a root
  certificate. So, the last one can be ignored.

- If you upgrade to DragonflyBSD 6.0.1, the problem will go away. See

  https://www.dragonflydigest.com/2021/10/13/26267.html

- LetsEncrypt is still including that expired certificate at the end of
  the chain in order to maintain compatibility with older versions of
  Android. I guess those Android versions don't trust that second-last
  cert, and have an exception so they trust the last cert in the chain
  beyond its normal lifetime.

-- 
James



More information about the Users mailing list