Home Explore Help
Register Sign In
EPuters_Mirrors
/
almanack_mirror
Watch 2
Star 0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Branch: main
Branches Tags
almanack_mir...
/
wiki.d
/
Letsencrypt.Expired

Letsencrypt.Expired 12 KB
Permalink History Raw

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647 
  1. version=pmwiki-2.2.130 ordered=1 urlencoded=1
    2. 

  2. agent=Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36
    3. 

  3. author=miniontoby
    4. 

  4. charset=UTF-8
    5. 

  5. csum=added .pem 
    6. 

  6. ctime=1633095023
    7. 

  7. host=77.168.188.164
    8. 

  8. name=Letsencrypt.Expired
    9. 

  9. rev=11
    10. 

  10. targets=
    11. 

  11. text=On Sep 30, 2021, Let's Encrypt had [[https://www.openssl.org/blog/blog/2021/09/13/LetsEncryptRootCertExpire|one of their intermediate certificates expire]] (an old DST Root CA X3 certificate).%0aThis certificate is still present in the public certificates that they issue.%0aNormally, this would not be a problem, because Let's Encrypt offers%0aanother valid signature. However, older SSL implementations %0awill reject the certificate. This includes OpenBSD 6.9 release and older%0aand older versions of mIRC.%0a%0aSwitching to another certificate authority would normally help. However, mIRC%0ausers have complained about validation errors. It seems they are missing one%0aof the certificate authorities used by buypass. For this reason, do%0a'''not''' use buypass for your TLS certificates.%0a%0aThe best solution is to use Let's Encrypt issued certificates%0awhile also deleting the extra intermediate certificate that has expired.%0a%0aGo to @@/etc/ssl/@@ where your public certificates are stored and edit%0a@@/etc/ssl/example.com.fullchain.pem@@. Delete the lines of the third%0a(and last) certificate by running this command '''as root''':%0a%0a[@%0a# awk '/END CERTIFICATE/ { cert++; } { print $0; if (cert == 2) exit;}' /etc/ssl/example.com.fullchain.pem > /etc/ssl/example.com.fullchain.pem.fixed%0a# mv /etc/ssl/example.com.fullchain.pem.fixed /etc/ssl/example.com.fullchain.pem%0a@]%0a%0aYou should repeat this for every single SSL cert you have. Then,%0aif the daemon that serves the cert is running inside a chroot, make sure%0ato copy the SSL cert into the chroot. For example, for ngircd:%0a%0a[@%0a$ doas cp /etc/ssl/example.com.fullchain.pem /etc/ssl/private/example.com.key /etc/ngircd/%0a$ doas chown _ngircd:_ngircd /etc/ngircd/example.com.{fullchain.pem,key}%0a$ doas pkill -HUP ngircd%0a@]%0a%0aWe make sure to set the proper permissions as well as send a HUP%0asignal to ngircd to cause it to reload its cert.%0a%0aFor ZNC, we would run:%0a%0a[@%0a$ doas cp /etc/ssl/example.com.fullchain.pem /etc/ssl/private/example.com.key /home/znc/home/znc/.znc/%0a$ doas chown -R znc:znc /home/znc/home/znc/.znc/%0a@]%0a%0aMake sure that certs are properly copied into place for all your services.%0a%0aTest to see if every one of your SSL certs work. It's best to use%0aa wide variety of web browsers, email clients, and IRC clients on preferably%0adifferent operating systems. For example, an SSL cert might validate%0aon Firefox on Debian but not on lynx on OpenBSD or mIRC on Windows.%0a%0a!! Recommended Testing:%0a%0aTry testing with mIRC from Windows if you have it, or irssi on unpatched%0aOpenBSD 6.9 release to your IRC server/ZNC bouncer. Also, try lynx/w3m on%0aOpenBSD to your website, and mutt on OpenBSD to your mail server. Try to%0asee if you can trigger the error before deleting the certificate, and if%0ayou have a valid certificate after it's deleted.%0a%0a!! Patching OpenBSD%0a%0aIn [[https://www.openbsd.org/errata69.html|Errata for OpenBSD 6.9]], a patch%0ais provided so that OpenBSD will verify trusted certificates first:%0a%0a[@%0a$ doas syspatch%0a@]%0a%0aSee also [[http://undeadly.org/cgi?action=article;sid=20211001073034]]%0a
    12. 

  12. time=1633445210
    13. 

  13. author:1633445210=miniontoby
    14. 

  14. csum:1633445210=added .pem 
    15. 

  15. diff:1633445210:1633284282:=22c22%0a%3c # mv /etc/ssl/example.com.fullchain.pem.fixed /etc/ssl/example.com.fullchain.pem%0a---%0a> # mv /etc/ssl/example.com.fullchain.fixed /etc/ssl/example.com.fullchain.pem%0a
    16. 

  16. host:1633445210=77.168.188.164
    17. 

  17. author:1633284282=jrmu
    18. 

  18. diff:1633284282:1633106360:=68,69d67%0a%3c %0a%3c See also [[http://undeadly.org/cgi?action=article;sid=20211001073034]]%0a
    19. 

  19. host:1633284282=125.231.16.47
    20. 

  20. author:1633106360=jrmu
    21. 

  21. diff:1633106360:1633105248:=51,60d50%0a%3c %0a%3c !! Recommended Testing:%0a%3c %0a%3c Try testing with mIRC from Windows if you have it, or irssi on unpatched%0a%3c OpenBSD 6.9 release to your IRC server/ZNC bouncer. Also, try lynx/w3m on%0a%3c OpenBSD to your website, and mutt on OpenBSD to your mail server. Try to%0a%3c see if you can trigger the error before deleting the certificate, and if%0a%3c you have a valid certificate after it's deleted.%0a%3c %0a%3c !! Patching OpenBSD%0a
    22. 

  22. host:1633106360=125.231.16.216
    23. 

  23. author:1633105248=jrmu
    24. 

  24. diff:1633105248:1633105026:=18c18%0a%3c (and last) certificate by running this command '''as root''':%0a---%0a> (and last) certificate by running this command as root:%0a
    25. 

  25. host:1633105248=125.231.16.216
    26. 

  26. author:1633105026=jrmu
    27. 

  27. diff:1633105026:1633104716:=1c1%0a%3c On Sep 30, 2021, Let's Encrypt had [[https://www.openssl.org/blog/blog/2021/09/13/LetsEncryptRootCertExpire|one of their intermediate certificates expire]] (an old DST Root CA X3 certificate).%0a---%0a> On Sep 30, 2021, Let's Encrypt had [[https://www.openssl.org/blog/blog/2021/09/13/LetsEncryptRootCertExpire|one of their intermediate certificates expire]] (ISRG Root X1 signed by an old DST Root CA X3 certificate).%0a
    28. 

  28. host:1633105026=125.231.16.216
    29. 

  29. author:1633104716=jrmu
    30. 

  30. diff:1633104716:1633104249:=21c21%0a%3c # awk '/END CERTIFICATE/ { cert++; } { print $0; if (cert == 2) exit;}' /etc/ssl/example.com.fullchain.pem > /etc/ssl/example.com.fullchain.pem.fixed%0a---%0a> # awk '/END CERTIFICATE/ { cert++; } { print $0; if (cert == 2) exit;} ' /etc/ssl/example.com.fullchain.pem > /etc/ssl/example.com.fullchain.pem.fixed%0a
    31. 

  31. host:1633104716=125.231.16.216
    32. 

  32. author:1633104249=jrmu
    33. 

  33. diff:1633104249:1633102775:=17,19c17,27%0a%3c @@/etc/ssl/example.com.fullchain.pem@@. Delete the lines of the third%0a%3c (and last) certificate by running this command as root:%0a%3c %0a---%0a> @@/etc/ssl/example.com.fullchain.pem@@. Delete the last ~30 lines%0a> in the certificate:%0a> %0a> Test to see if every one of your SSL certs work. It's best to use%0a> a wide variety of web browsers, email clients, and IRC clients on preferably%0a> different operating systems. For example, an SSL cert might validate%0a> on Firefox on Debian but not on lynx on OpenBSD or mIRC on Windows.%0a> %0a> In [[https://www.openbsd.org/errata69.html|Errata for OpenBSD 6.9]], a patch%0a> is provided so that OpenBSD will verify trusted certificates first:%0a> %0a21,22c29%0a%3c # awk '/END CERTIFICATE/ { cert++; } { print $0; if (cert == 2) exit;} ' /etc/ssl/example.com.fullchain.pem > /etc/ssl/example.com.fullchain.pem.fixed%0a%3c # mv /etc/ssl/example.com.fullchain.fixed /etc/ssl/example.com.fullchain.pem%0a---%0a> $ doas syspatch%0a25,57d31%0a%3c You should repeat this for every single SSL cert you have. Then,%0a%3c if the daemon that serves the cert is running inside a chroot, make sure%0a%3c to copy the SSL cert into the chroot. For example, for ngircd:%0a%3c %0a%3c [@%0a%3c $ doas cp /etc/ssl/example.com.fullchain.pem /etc/ssl/private/example.com.key /etc/ngircd/%0a%3c $ doas chown _ngircd:_ngircd /etc/ngircd/example.com.{fullchain.pem,key}%0a%3c $ doas pkill -HUP ngircd%0a%3c @]%0a%3c %0a%3c We make sure to set the proper permissions as well as send a HUP%0a%3c signal to ngircd to cause it to reload its cert.%0a%3c %0a%3c For ZNC, we would run:%0a%3c %0a%3c [@%0a%3c $ doas cp /etc/ssl/example.com.fullchain.pem /etc/ssl/private/example.com.key /home/znc/home/znc/.znc/%0a%3c $ doas chown -R znc:znc /home/znc/home/znc/.znc/%0a%3c @]%0a%3c %0a%3c Make sure that certs are properly copied into place for all your services.%0a%3c %0a%3c Test to see if every one of your SSL certs work. It's best to use%0a%3c a wide variety of web browsers, email clients, and IRC clients on preferably%0a%3c different operating systems. For example, an SSL cert might validate%0a%3c on Firefox on Debian but not on lynx on OpenBSD or mIRC on Windows.%0a%3c %0a%3c In [[https://www.openbsd.org/errata69.html|Errata for OpenBSD 6.9]], a patch%0a%3c is provided so that OpenBSD will verify trusted certificates first:%0a%3c %0a%3c [@%0a%3c $ doas syspatch%0a%3c @]%0a
    34. 

  34. host:1633104249=125.231.16.216
    35. 

  35. author:1633102775=jrmu
    36. 

  36. diff:1633102775:1633102620:=16,23c16,22%0a%3c Go to @@/etc/ssl/@@ where your public certificates are stored and edit%0a%3c @@/etc/ssl/example.com.fullchain.pem@@. Delete the last ~30 lines%0a%3c in the certificate:%0a%3c %0a%3c Test to see if every one of your SSL certs work. It's best to use%0a%3c a wide variety of web browsers, email clients, and IRC clients on preferably%0a%3c different operating systems. For example, an SSL cert might validate%0a%3c on Firefox on Debian but not on lynx on OpenBSD or mIRC on Windows.%0a---%0a> I fixed almost every team's SSL certs (except for maybe one or two).                    %0a> I ended up using just let's encrypt using a little trick:                               %0a> inside the .fullchain.pem, if you delete the 3rd certificate, it will                   %0a> then validate properly.%0a> %0a> If you'd like, check and see if SSL is verifying on a wide variety of%0a> web browsers and IRC clients.%0a
    37. 

  37. host:1633102775=125.231.16.216
    38. 

  38. author:1633102620=jrmu
    39. 

  39. diff:1633102620:1633102485:=25c25,26%0a%3c is provided so that OpenBSD will verify trusted certificates first:%0a---%0a> is provided so that OpenBSD will verify trusted certificates first. Simply%0a> run these commands:%0a
    40. 

  40. host:1633102620=125.231.16.216
    41. 

  41. author:1633102485=jrmu
    42. 

  42. diff:1633102485:1633095023:=10,15c10,15%0a%3c of the certificate authorities used by buypass. For this reason, do%0a%3c '''not''' use buypass for your TLS certificates.%0a%3c %0a%3c The best solution is to use Let's Encrypt issued certificates%0a%3c while also deleting the extra intermediate certificate that has expired.%0a%3c %0a---%0a> of the certificate authorities used by buypass.%0a> For this reason, do '''not''' use buypass for your TLS certificates.%0a> %0a> The best workaround continues to use the Let's Encrypt issued certificates,%0a> but also to delete the extra intermediate certificate that has expired.%0a> %0a23,31d22%0a%3c %0a%3c In [[https://www.openbsd.org/errata69.html|Errata for OpenBSD 6.9]], a patch%0a%3c is provided so that OpenBSD will verify trusted certificates first. Simply%0a%3c run these commands:%0a%3c %0a%3c [@%0a%3c $ doas syspatch%0a%3c @]%0a%3c %0a
    43. 

  43. host:1633102485=125.231.16.216
    44. 

  44. author:1633095023=jrmu
    45. 

  45. diff:1633095023:1633095023:=1,22d0%0a%3c On Sep 30, 2021, Let's Encrypt had [[https://www.openssl.org/blog/blog/2021/09/13/LetsEncryptRootCertExpire|one of their intermediate certificates expire]] (ISRG Root X1 signed by an old DST Root CA X3 certificate).%0a%3c This certificate is still present in the public certificates that they issue.%0a%3c Normally, this would not be a problem, because Let's Encrypt offers%0a%3c another valid signature. However, older SSL implementations %0a%3c will reject the certificate. This includes OpenBSD 6.9 release and older%0a%3c and older versions of mIRC.%0a%3c %0a%3c Switching to another certificate authority would normally help. However, mIRC%0a%3c users have complained about validation errors. It seems they are missing one%0a%3c of the certificate authorities used by buypass.%0a%3c For this reason, do '''not''' use buypass for your TLS certificates.%0a%3c %0a%3c The best workaround continues to use the Let's Encrypt issued certificates,%0a%3c but also to delete the extra intermediate certificate that has expired.%0a%3c %0a%3c I fixed almost every team's SSL certs (except for maybe one or two).                    %0a%3c I ended up using just let's encrypt using a little trick:                               %0a%3c inside the .fullchain.pem, if you delete the 3rd certificate, it will                   %0a%3c then validate properly.%0a%3c %0a%3c If you'd like, check and see if SSL is verifying on a wide variety of%0a%3c web browsers and IRC clients.%0a
    46. 

  46. host:1633095023=125.231.16.216
    47. 

  47.