Problems with sites using Let's Encrypt certificates
James Cook
falsifian at falsifian.org
Wed Oct 13 17:40:11 PDT 2021
> I remain puzzled, however, why the mirror-master.dragonflybsd.org site
> could have had an expired Web certificate for the last two weeks
> without manual repair and reports on this list that first appeared on
> 30-Sep-2021, the day the certificate expired.
This sounds like a known issue with LetsEncrypt and dfly 6.0.0's
version of LibreSSL.
Assuming that's the case, here's a summary:
- No, the certificate is not out of date.
- Your client doesn't like the certificate chain presented by the
server because the last certificate in the chain has expired.
- Most clients (including newer versions of LibreSSL) accept the chain
because the second-last certificate in a chain is actually a root
certificate. So, the last one can be ignored.
- If you upgrade to DragonflyBSD 6.0.1, the problem will go away. See
https://www.dragonflydigest.com/2021/10/13/26267.html
- LetsEncrypt is still including that expired certificate at the end of
the chain in order to maintain compatibility with older versions of
Android. I guess those Android versions don't trust that second-last
cert, and have an exception so they trust the last cert in the chain
beyond its normal lifetime.
--
James
More information about the Users
mailing list