On 25/10/21 16:22, Per olof Ljungmark wrote:
On 10/25/21 09:51, Guido Falsi wrote:
On 25/10/21 08:14, Per olof Ljungmark wrote:
FreeBSD 12-STABLE from Oct 15
nextcloudclient 3.3.5
I get popup messages from the client stating "Untrusted Certificate
Cannot connect securely to [server-name]".
Browser access to the server is fine, no errors.
Using truss, it seems it looks for and finds
fstatat(AT_FDCWD,"/etc/ssl/certs//2e5ac55d.0",{ mode=-r--r--r--
,inode=192371,size=4665,blksize=5120 },0x0) = 0 (0x0)
open("/etc/ssl/certs//2e5ac55d.0",O_RDONLY,0666) = 106535 (0x1a027)
But 2e5ac55d.0 (DST_Root_CA_X3.pem) has expired.
It also looks for 8d33f237.0, but it does not exist:
fstatat(AT_FDCWD,"/etc/ssl/certs//8d33f237.0",0x7fffdf5f70a0,0x0)
ERR#2 'No such file or directory'
How do I convince it to instead look for 4042bcee.0 which is the
ISRG_Root_X1.pem used by Letsencrypt?
Ref:
https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/
What version of openssl are you using? versions before 1.1.0 show this
behavior.
Maybe a possible workaround is to manually remove the expired
certificate from the list of trusted ones.
I guess you are using the ones installed by security/ca_root_nss, in
which case you'll need to modify their list.
Deleting the link /etc/ssl/certs did the trick it see,s, no more popups
since an hour.
Still wondering why this happens though...
Not sure why it happens in your case, since you're using a recent
OpenSSL, but in general it happens because one of letsencrypt root
certificates expired and the default chain still includes it through
cross signing. Newer OpenSSL should be able to cope, so, again, no clue
why it happens in your case.
--
Guido Falsi <madpi...@freebsd.org>
