Chris Bennett(cpb_m...@bennettconstruction.us) on 2021.09.30 10:02:17 -0700: > Hi, > > I'm getting that the certs are expired, but https works fine in Firefox, > including when looking at the full chain. > > > openssl s_client -servername mail.strengthcouragewisdom.rocks -connect > mail.strengthcouragewisdom.rocks:imaps > > openssl s_client -servername mail.strengthcouragewisdom.rocks -connect > mail.strengthcouragewisdom.rocks:https > > However are not happy. I force updated my ssl certs, syspatch, pkg_add > -u and rebooted. > > I didn't rebuild dh.pem for dovecot. > > Is this just a DNS propagation issue? > Or should I do something further myself?
This is an issue with an expired root/intermediate certificate (DST Root X3) in use by Let's Encrypt. Stuart Henderson (sthen@) summarized it like this: LibreSSL in OpenBSD 6.9/earlier is having problems with the expiry of a CA certificate used to cross-sign Let's Encrypt certs. LE decided not to switch to using their own root fully, rather they are continuing to use the expired cross-signer to increase compatibility with old Android devices, which is tickling this problem. https://letsencrypt.org/2020/12/21/extending-android-compatibility.html An errata has just been published, you can install it using syspatch. Best, Benno
