C++ Client Library no longer working with Lets Encrypt

sam_smith · April 3, 2024, 1:53am

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

api8.hubcontrols.com

It produced this output:

My web server is (include version):
Docker ngnx-mainline-alpine

The operating system my web server runs on is (include version):
Docker ngnx-mainline-alpine
My hosting provider, if applicable, is:
self
I can login to a root shell on my machine (yes or no, or I don't know):
I dont know
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
No
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 0.31.0

Hi, I am hoping you can help me with my very urgent problem.

I have an embedded client application on 10,000 devices deployed in the field that communicates with our servers over HTTPS. It has two expired certs and one cert that will expire in May 2025.All these client side scripts are LetsEncrypt certs. It is not possible for me to update the client on the devices. Lets Encrypts certs on the server no longer work with the device even with the one that will not expire until May 2025. I have downgraded the last issued lets encrypt cert on the server to the previously issued one but it will expire on the 16th of this month.

Is there something I can do to get Lets Encrypt to work with a client cert that expires in one year. Also I have been informed that it is possible for a certificate authority to issue a special cert that will work with soon to expire or expired client certs. Does anyone know an issuing authority that can do this?

If any one could provide an answer I would very much appreciate it as my company is facing collapse if a suitable cert cannot be installed on our servers in the next two weeks.

Thank you.

David Gleeson

These are the details of the three keys.

Common Name: Baltimore CyberTrust Root

Subject Alternative Names:

Organization: Baltimore

Organization Unit: CyberTrust

Locality:

State:

Country: IE

Valid From: May 12, 2000

Valid To: May 12, 2025

Issuer: Baltimore CyberTrust Root, Baltimore

Key Size: 2048 bit

Serial Number: ****

Common Name: DST Root CA X3

Subject Alternative Names:

Organization: Digital Signature Trust Co.

Organization Unit:

Locality:

State:

Country:

Valid From: September 30, 2000

Valid To: September 30, 2021

Issuer: DST Root CA X3, Digital Signature Trust Co.

Key Size: 2048 bit

Serial Number: ***

Common Name: CAcert Class 3 Root

Subject Alternative Names:

Organization: CAcert Inc.

Organization Unit: http://www.CAcert.org

Locality:

State:

Country:

Valid From: May 23, 2011

Valid To: May 20, 2021

Issuer: CA Cert Signing Authority, Root CA

Key Size: 4096 bit

Serial Number:*****

Bruce5051 · April 3, 2024, 2:21am

Hello @sam_smith, welcome to the Let's Encrypt community.

Can you share a certificate (full chain) even it is expired that worked (or presently works),
and a certificate (full chain) that is preferably not expired that fails?

Also what C++ Client Library no longer working?
version, target platform, etc.

More details will be needed.

Can the servers be updated to Certbot 2.9.0 Release?

There are also other Free ACME CA Comparison - Posh-ACME

mcpherrinm · April 3, 2024, 2:24am

Common Name: Baltimore CyberTrust Root
Common Name: DST Root CA X3
Common Name: CAcert Class 3 Root

It seems you've embedded three certificates in your trust store, but that doesn't include the Let's Encrypt root.

The DST Root CA X3 previously cross-signed the Let's Encrypt root, but that cross-sign is expiring this year. See Shortening the Let's Encrypt Chain of Trust - Let's Encrypt

As an immediate workaround, you can include the DST X3 cross-sign. You can see the certbot documentation for full details, but you'll do certbot renew --preferred-chain "DST Root CA X3". However, certbot 0.31.0 is too old - that was added in Certbot 1.6.0 Release so you'll have to upgrade first.

But once the cross-sign has expired, that won't work anymore, so you will need to find an alternate mechanism. Let's Encrypt will not be supported by those devices.

You may be able to get a certificate from another CA that chains to those roots.
I believe the Baltimore CyberTrust Root is owned by Digicert now, who may be able to help you. CACert.org may also be able to help.

Bruce5051 · April 3, 2024, 2:26am

Side note: I have not found many TLS clients that will trust that CA, if it works for you and your customers great.

Bruce5051 · April 3, 2024, 2:37am

@sam_smith if that is true then why?

I am kind of confused.

rg305 · April 3, 2024, 2:41am

I don't really understand your explanation of the problem.

Can you provide two examples?:

one of a cert that works
one of a cert that fails

Bruce5051 · April 3, 2024, 2:43am

Here is the presently being served certificate.

$ openssl s_client -showcerts -servername api8.hubcontrols.com -connect api8.hubcontrols.com:443 < /dev/null
CONNECTED(00000003)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = api8.hubcontrols.com
verify return:1
---
Certificate chain
 0 s:CN = api8.hubcontrols.com
   i:C = US, O = Let's Encrypt, CN = R3
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Mar 15 22:29:24 2024 GMT; NotAfter: Jun 13 22:29:23 2024 GMT
-----BEGIN CERTIFICATE-----
MIIE9DCCA9ygAwIBAgISBPVwOg4Ic+eWQDWbmDSqo8X0MA0GCSqGSIb3DQEBCwUA
MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
EwJSMzAeFw0yNDAzMTUyMjI5MjRaFw0yNDA2MTMyMjI5MjNaMB8xHTAbBgNVBAMT
FGFwaTguaHViY29udHJvbHMuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
CgKCAQEAsX1W/rSDOzzs4RFp5NI7NZw5hAOOGcibgn0b4aEdGXyJY1xKZYM7t4Ab
GNDfbjGvK2joYf+LeRSwmu6WRNYtNBn/gXt7zKW2uPhYsw+9ndIe70f7zEL1hS7I
RdSA4Mjqym3msfRdcvT3Iq3eBbrefKznIPPxylxtK+tNXsEPDEI7NEuOeZE43iVi
TIMJSkKt5HHxr+JA4SBQLhgqbVzBoOu6XMw+O1XRNc093xoGpePqgKODpBW01jY/
VM3h/HCGbsPpOXOc/jR9VINYzlg/sF68VVD7hLOBcr0TBCfQTh/bkqLdIh3FNoR1
Fb+GBHmIhDKvbeY85oy/oRgc1szoywIDAQABo4ICFTCCAhEwDgYDVR0PAQH/BAQD
AgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAA
MB0GA1UdDgQWBBTUI/seAV3xJg+zZHbhrUTTRL2OZjAfBgNVHSMEGDAWgBQULrMX
t1hWy65QCUDmH6+dixTCxjBVBggrBgEFBQcBAQRJMEcwIQYIKwYBBQUHMAGGFWh0
dHA6Ly9yMy5vLmxlbmNyLm9yZzAiBggrBgEFBQcwAoYWaHR0cDovL3IzLmkubGVu
Y3Iub3JnLzAfBgNVHREEGDAWghRhcGk4Lmh1YmNvbnRyb2xzLmNvbTATBgNVHSAE
DDAKMAgGBmeBDAECATCCAQMGCisGAQQB1nkCBAIEgfQEgfEA7wB2AEiw42vapkc0
D+VqAvqdMOscUgHLVt0sgdm7v6s52IRzAAABjkRy5f8AAAQDAEcwRQIgAK4VFBwM
rR1IIV54ah2DUDiQtdJcEjroQyQ2jwED1kUCIQDj5rZrRd9pgCfp/iPEo3K3+4Ni
+ZDcrnDFnu8jzWyPxAB1ADtTd3U+LbmAToswWwb+QDtn2E/D9Me9AA0tcm/h+tQX
AAABjkRy5fsAAAQDAEYwRAIgeLu/6WbI4uJ8jjM6ATXq0HABJMZ0SIEjy7xmLMWw
QY8CIHEsOmzJWNc4G543vSt8Aj5sCHNau5WxYya8UgQy4GVoMA0GCSqGSIb3DQEB
CwUAA4IBAQCo4nhuSIKRYd/rHSiau6NZR4k70aWuKttfzZyU+YswEJRmTdICKzCK
5WTsB6tV2WT9bStrfH80xOW55nxSMmO5nabodue5BDipCs6xg/uCpMT9l2maYdty
HFUOlDMSdjSc7pzhZO32UlM9kSZ8WOIc0d2f4qVciftp/gYLTnj/abkXoT+BSrPK
wnK8K3Ac1pk/Bmox/he+GA6oos1KClyDXOkbtFAt8BdPS0rX5AQFm3539IPydVaw
AVfGm1tTWZ7zm+3k6vir9Lew9KljpDw2Az/JMpeM28UWmpyGVSPUvj0hZEzzZywf
XZc7KE2IiRRPW03NvpM/Mjfdd2VulyYG
-----END CERTIFICATE-----
 1 s:C = US, O = Let's Encrypt, CN = R3
   i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Sep  4 00:00:00 2020 GMT; NotAfter: Sep 15 16:00:00 2025 GMT
-----BEGIN CERTIFICATE-----
MIIFFjCCAv6gAwIBAgIRAJErCErPDBinU/bWLiWnX1owDQYJKoZIhvcNAQELBQAw
TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMjAwOTA0MDAwMDAw
WhcNMjUwOTE1MTYwMDAwWjAyMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg
RW5jcnlwdDELMAkGA1UEAxMCUjMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
AoIBAQC7AhUozPaglNMPEuyNVZLD+ILxmaZ6QoinXSaqtSu5xUyxr45r+XXIo9cP
R5QUVTVXjJ6oojkZ9YI8QqlObvU7wy7bjcCwXPNZOOftz2nwWgsbvsCUJCWH+jdx
sxPnHKzhm+/b5DtFUkWWqcFTzjTIUu61ru2P3mBw4qVUq7ZtDpelQDRrK9O8Zutm
NHz6a4uPVymZ+DAXXbpyb/uBxa3Shlg9F8fnCbvxK/eG3MHacV3URuPMrSXBiLxg
Z3Vms/EY96Jc5lP/Ooi2R6X/ExjqmAl3P51T+c8B5fWmcBcUr2Ok/5mzk53cU6cG
/kiFHaFpriV1uxPMUgP17VGhi9sVAgMBAAGjggEIMIIBBDAOBgNVHQ8BAf8EBAMC
AYYwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMBIGA1UdEwEB/wQIMAYB
Af8CAQAwHQYDVR0OBBYEFBQusxe3WFbLrlAJQOYfr52LFMLGMB8GA1UdIwQYMBaA
FHm0WeZ7tuXkAXOACIjIGlj26ZtuMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcw
AoYWaHR0cDovL3gxLmkubGVuY3Iub3JnLzAnBgNVHR8EIDAeMBygGqAYhhZodHRw
Oi8veDEuYy5sZW5jci5vcmcvMCIGA1UdIAQbMBkwCAYGZ4EMAQIBMA0GCysGAQQB
gt8TAQEBMA0GCSqGSIb3DQEBCwUAA4ICAQCFyk5HPqP3hUSFvNVneLKYY611TR6W
PTNlclQtgaDqw+34IL9fzLdwALduO/ZelN7kIJ+m74uyA+eitRY8kc607TkC53wl
ikfmZW4/RvTZ8M6UK+5UzhK8jCdLuMGYL6KvzXGRSgi3yLgjewQtCPkIVz6D2QQz
CkcheAmCJ8MqyJu5zlzyZMjAvnnAT45tRAxekrsu94sQ4egdRCnbWSDtY7kh+BIm
lJNXoB1lBMEKIq4QDUOXoRgffuDghje1WrG9ML+Hbisq/yFOGwXD9RiX8F6sw6W4
avAuvDszue5L3sz85K+EC4Y/wFVDNvZo4TYXao6Z0f+lQKc0t8DQYzk1OXVu8rp2
yJMC6alLbBfODALZvYH7n7do1AZls4I9d1P4jnkDrQoxB3UqQ9hVl3LEKQ73xF1O
yK5GhDDX8oVfGKF5u+decIsH4YaTw7mP3GFxJSqv3+0lUFJoi5Lc5da149p90Ids
hCExroL1+7mryIkXPeFM5TgO9r0rvZaBFOvV2z0gp35Z0+L4WPlbuEjN/lxPFin+
HlUjr8gRsI3qfJOQFy/9rKIJR0Y/8Omwt/8oTWgy1mdeHmmjk7j1nYsvC9JSQ6Zv
MldlTTKB3zhThV1+XWYp6rjd5JW1zbVWEkLNxE7GJThEUG3szgBVGP7pSWTUTsqX
nLRbwHOoq7hHwg==
-----END CERTIFICATE-----
---
Server certificate
subject=CN = api8.hubcontrols.com
issuer=C = US, O = Let's Encrypt, CN = R3
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 3258 bytes and written 415 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: 079E1EDDE1CB27419CAF067D87EA398BB41F866F6E623751F79828F8F3FA17A0
    Session-ID-ctx:
    Master-Key: 09BDF836A73B6EF863E91437D981D60A1AC00CF3A3A60AB8F835E98763DBF4A9828E7985E00501223DEE33E6333D262B
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - cc b2 a0 a0 29 14 51 27-a0 f1 11 56 26 7b e0 37   ....).Q'...V&{.7
    0010 - c6 67 c1 35 5c 0e a4 84-cb c3 f4 bc 09 aa 6a c5   .g.5\.........j.
    0020 - e8 d1 f6 e7 c3 90 99 5f-36 05 ef 89 36 e4 c5 65   ......._6...6..e
    0030 - cf 2f d0 b3 82 ec 4c a3-bf 27 0a 54 75 98 fd 7a   ./....L..'.Tu..z
    0040 - 23 0b b9 0e 04 10 aa 4a-40 0a 27 63 ac 59 85 40   #......J@.'c.Y.@
    0050 - 8f 52 a8 43 61 67 9d 41-d3 db 34 2b 4b a0 60 97   .R.Cag.A..4+K.`.
    0060 - 0a 55 b3 76 aa b0 57 cb-19 1b 60 31 77 8a d2 0a   .U.v..W...`1w...
    0070 - 07 68 1b 90 7a f7 f1 13-2b a1 04 73 e4 2a 8f 9d   .h..z...+..s.*..
    0080 - 02 19 77 48 5f c9 73 21-d9 52 81 fa aa 7a 9b db   ..wH_.s!.R...z..
    0090 - 64 dd 5f 73 93 a2 55 15-fa db e9 95 12 5c 8d 32   d._s..U......\.2
    00a0 - 4e 87 a4 bb 1d dc 66 7f-40 b7 bc 30 f9 bb ed d4   N.....f.@..0....
    00b0 - 21 54 17 76 3e 10 d0 62-39 c1 37 57 04 95 94 ee   !T.v>..b9.7W....
    00c0 - e5 cb bb 9e bb 0a 5d d0-73 77 9b 5d 8d e8 ac 7f   ......].sw.]....

    Start Time: 1712112153
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: yes
---
DONE

Which is this certificate crt.sh | 12397136607

mcpherrinm · April 3, 2024, 2:46am

I'm pretty sure I understand the problem. Allow me to summarize as I understand

There are 10k TLS clients that have a custom trust store with (Baltimore CyberTrust, DST X3, CACert).

They communicate with a server with a Let's Encrypt certificate. I assume this is some sort of embedded device talking to a control server of some sort, based on the name.

Without the DST X3 cross-sign, those devices aren't able to communicate. They've rolled back to a previous cert (and chain, including the DST X3 cross-sign) to make things work, but that previous cert expires soon.

api8.hubcontrols.com isn't serving the DST X3 cross-sign right now, but perhaps the actual server the devices talk to isn't the one on the internet.

rg305 · April 3, 2024, 2:48am

That is a problem waiting to happen.

Can you update anything on those clients?

rg305 · April 3, 2024, 2:50am

I presume that is the "working" cert/chain example.
Now we just need the "failing" cert/chain example.

Bruce5051 · April 3, 2024, 2:51am

Yep @rg305 you are correct!

Osiris · April 3, 2024, 6:33am

If you can't keep those 10k devices up to date (including its root certificate trust store), your company was facing collapse one way or another in the near or far future anyway.

webprofusion · April 3, 2024, 6:37am

Is that the Digicert one? Maybe you can just use a Digicert certificate - e.g. just buy one.

[although that root is also only trusted until 2025 so that would only be a very temporary fix and you'd first need to check with digicert that they can even still issue from that root. If you can't update your clients they will eventually fail, so that's happening sooner rather than later.]

sam_smith · April 8, 2024, 1:49pm

The server is self configured but the nginx runs inside a docker container. I'm not sure if it is possible to log into the docker container with the nginx server running correctly

sam_smith · April 8, 2024, 1:54pm

Thank you for your reply.
A more complete description of the problem.

We have a domestic HVAC controller running an embedded legacy client application on 10,000 devices deployed in the field that communicates with a server side monolithic api application over HTTPS. The same Api application also handles requests from a phone application
These devices are going to go offline shortly due to the client HTTPS certificates being incompatible with LetsEncrypt server side certificates.
It is not possible for me to update certs for the http client on the devices as the OTA process no longer works properly. Furthermore the client side application does not produce adequate logs so we can see that a connection issue has occurred but that is all.
A more complete definition of the problem.
We have 8 primary api server instances and two secondary api server instances. Each one has its own domain as follows:

api1.hubcontrols.com
api2.hubcontrols.com
api3.hubcontrols.com
api4.hubcontrols.com
api4.hubcontrols.com
api5.hubcontrols.com
api6.hubcontrols.com
api7.hubcontrols.com
api8.hubcontrols.com
api.hubcontrols.com
api-staging.hubcontrols.com

Each api server sits behind an nginx server which accepts the https request and proxies the request as http to the api server. .The Nginx server usesLetsEncrypt to validate the HTTPS requests.
Load balancing is handled by the clients cycling between api1 and api8 if they encounter a slow response or no response from the server.
Starting on the 9th of February 2024 one by one the api servers stopped accepting requests from the devices in the field.
During all this time the phone application was experiencing no issues in connecting and communicating with the api servers and also curl requests sent to the api were being processed normally.
During this time a lot of time was spent on diagnosing possible issues with the networking and permissions on the servers but no issues were found.
On 2024-03-24 15:58:45 the last two api stopped accepting requests from the devices in the field and the system was no longer in communication with the devices.
We realized that a certificate incompatibility between the server side certificates may be the problem so we rolled back the certificate on the last two servers to stop accepting connections from the devices in the field. These two servers started accepting connections again.
(This was done by pointing the symlinks in /etc/lets/encrypt/live/ folders for the domains
To the second from last matching files in the /etc/letsencrypt/archive/ folders.)
However, checking the server certs revealed they would go out of date on the April 16, 2024 and April 23, 2024 of this month.
The same process was tried on the other servers but it was revealed that the previous lets encrypt certificates on these servers were already out of date.
It was also suggested that a configuration change in nginx could be added that would bypass certificate checking by adding this line This was tried but has had no effect.
Your suggestion to try a renewal of the certs with the following command certbot renew --preferred-chain "DST Root CA X3 (I added –force-renew) may work. It was tried but had no effect.
I have been told that a special server certificate could be generated that would work with the expired certs on the devices but this could only be done by LetsEncrypt as the client side certs will only work with LetsEncrypt.
These are the three client side certs with their details.

-----BEGIN CERTIFICATE-----
MIIDdzCCAl+gAwIBAgIEAgAAuTANBgkqhkiG9w0BAQUFADBaMQswCQYDVQQGEwJJ
RTESMBAGA1UEChMJQmFsdGltb3JlMRMwEQYDVQQLEwpDeWJlclRydXN0MSIwIAYD
VQQDExlCYWx0aW1vcmUgQ3liZXJUcnVzdCBSb290MB4XDTAwMDUxMjE4NDYwMFoX
DTI1MDUxMjIzNTkwMFowWjELMAkGA1UEBhMCSUUxEjAQBgNVBAoTCUJhbHRpbW9y
ZTETMBEGA1UECxMKQ3liZXJUcnVzdDEiMCAGA1UEAxMZQmFsdGltb3JlIEN5YmVy
VHJ1c3QgUm9vdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKMEuyKr
mD1X6CZymrV51Cni4eiVgLGw41uOKymaZN+hXe2wCQVt2yguzmKiYv60iNoS6zjr
IZ3AQSsBUnuId9Mcj8e6uYi1agnnc+gRQKfRzMpijS3ljwumUNKoUMMo6vWrJYeK
mpYcqWe4PwzV9/lSEy/CG9VwcPCPwBLKBsua4dnKM3p31vjsufFoREJIE9LAwqSu
XmD+tqYF/LTdB1kC1FkYmGP1pWPgkAx9XbIGevOF6uvUA65ehD5f/xXtabz5OTZy
dc93Uk3zyZAsuT3lySNTPx8kmCFcB5kpvcY67Oduhjprl3RjM71oGDHweI12v/ye
jl0qhqdNkNwnGjkCAwEAAaNFMEMwHQYDVR0OBBYEFOWdWTCCR1jMrPoIVDaGezq1
BE3wMBIGA1UdEwEB/wQIMAYBAf8CAQMwDgYDVR0PAQH/BAQDAgEGMA0GCSqGSIb3
DQEBBQUAA4IBAQCFDF2O5G9RaEIFoN27TyclhAO992T9Ldcw46QQF+vaKSm2eT92
9hkTI7gQCvlYpNRhcL0EYWoSihfVCr3FvDB81ukMJY2GQE/szKN+OMY3EU/t3Wgx
jkzSswF07r51XgdIGn9w/xZchMB5hbgF/X++ZRGjD8ACtPhSNzkE1akxehi/oCr0
Epn3o0WC4zxe9Z2etciefC7IpJ5OCBRLbf1wbWsaY71k5h+3zvDyny67G7fyUIhz
ksLi4xaNmjICq44Y3ekQEe5+NauQrz4wlHrQMz2nZQ/1/I6eYs9HRCwBXbsdtTLS
R9I4LtD+gdwyah617jzV/OeBHRnDJELqYzmp
-----END CERTIFICATE-----
Common Name: Baltimore CyberTrust Root
Subject Alternative Names:
Organization: Baltimore
Organization Unit: CyberTrust
Locality:
State:
Country: IE
Valid From: May 12, 2000
Valid To: May 12, 2025
Issuer: Baltimore CyberTrust Root, Baltimore
Key Size: 2048 bit
Serial Number: 33554617 (0x20000b9)
-----BEGIN CERTIFICATE-----
MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTAwMDkzMDIxMTIxOVoXDTIxMDkzMDE0MDExNVow
PzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQD
Ew5EU1QgUm9vdCBDQSBYMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
AN+v6ZdQCINXtMxiZfaQguzH0yxrMMpb7NnDfcdAwRgUi+DoM3ZJKuM/IUmTrE4O
rz5Iy2Xu/NMhD2XSKtkyj4zl93ewEnu1lcCJo6m67XMuegwGMoOifooUMM0RoOEq
OLl5CjH9UL2AZd+3UWODyOKIYepLYYHsUmu5ouJLGiifSKOeDNoJjj4XLh7dIN9b
xiqKqy69cK3FCxolkHRyxXtqqzTWMIn/5WgTe1QLyNau7Fqckh49ZLOMxt+/yUFw
7BZy1SbsOFU5Q9D8/RhcQPGX69Wam40dutolucbY38EVAjqr2m7xPi71XAicPNaD
aeQQmxkqtilX4+U9m5/wAl0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNV
HQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMSnsaR7LHH62+FLkHX/xBVghYkQMA0GCSqG
SIb3DQEBBQUAA4IBAQCjGiybFwBcqR7uKGY3Or+Dxz9LwwmglSBd49lZRNI+DT69
ikugdB/OEIKcdBodfpga3csTS7MgROSR6cz8faXbauX+5v3gTt23ADq1cEmv8uXr
AvHRAosZy5Q6XkjEGB5YGV8eAlrwDPGxrancWYaLbumR9YbK+rlmM6pZW87ipxZz
R8srzJmwN0jP41ZL9c8PDHIyh8bwRLtTcm1D9SZImlJnt1ir/md2cXjbDaJWFBM5
JDGFoqgCWjBH4d1QB7wCCZAA62RjYJsWvIjJEubSfZGL+T0yjWW06XyxV3bqxbYo
Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ
-----END CERTIFICATE-----
Common Name: DST Root CA X3
Subject Alternative Names:
Organization: Digital Signature Trust Co.
Organization Unit:
Locality:
State:
Country:
Valid From: September 30, 2000
Valid To: September 30, 2021
Issuer: DST Root CA X3, Digital Signature Trust Co.
Key Size: 2048 bit
Serial Number: 44afb080d6a327ba893039862ef8406b
-----BEGIN CERTIFICATE-----
MIIHWTCCBUGgAwIBAgIDCkGKMA0GCSqGSIb3DQEBCwUAMHkxEDAOBgNVBAoTB1Jv
b3QgQ0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEiMCAGA1UEAxMZ
Q0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJARYSc3VwcG9y
dEBjYWNlcnQub3JnMB4XDTExMDUyMzE3NDgwMloXDTIxMDUyMDE3NDgwMlowVDEU
MBIGA1UEChMLQ0FjZXJ0IEluYy4xHjAcBgNVBAsTFWh0dHA6Ly93d3cuQ0FjZXJ0
Lm9yZzEcMBoGA1UEAxMTQ0FjZXJ0IENsYXNzIDMgUm9vdDCCAiIwDQYJKoZIhvcN
AQEBBQADggIPADCCAgoCggIBAKtJNRFIfNImflOUz0Op3SjXQiqL84d4GVh8D57a
iX3h++tykA10oZZkq5+gJJlz2uJVdscXe/UErEa4w75/ZI0QbCTzYZzA8pD6Ueb1
aQFjww9W4kpCz+JEjCUoqMV5CX1GuYrz6fM0KQhF5Byfy5QEHIGoFLOYZcRD7E6C
jQnRvapbjZLQ7N6QxX8KwuPr5jFaXnQ+lzNZ6MMDPWAzv/fRb0fEze5ig1JuLgia
pNkVGJGmhZJHsK5I6223IeyFGmhyNav/8BBdwPSUp2rVO5J+TJAFfpPBLIukjmJ0
FXFuC3ED6q8VOJrU0gVyb4z5K+taciX5OUbjchs+BMNkJyIQKopPWKcDrb60LhPt
XapI19V91Cp7XPpGBFDkzA5CW4zt2/LP/JaT4NsRNlRiNDiPDGCbO5dWOK3z0luL
oFvqTpa4fNfVoIZwQNORKbeiPK31jLvPGpKK5DR7wNhsX+kKwsOnIJpa3yxdUly6
R9Wb7yQocDggL9V/KcCyQQNokszgnMyXS0XvOhAKq3A6mJVwrTWx6oUrpByAITGp
rmB6gCZIALgBwJNjVSKRPFbnr9s6JfOPMVTqJouBWfmh0VMRxXudA/Z0EeBtsSw/
LIaRmXGapneLNGDRFLQsrJ2vjBDTn8Rq+G8T/HNZ92ZCdB6K4/jc0m+YnMtHmJVA
BfvpAgMBAAGjggINMIICCTAdBgNVHQ4EFgQUdahxYEyIE/B42Yl3tW3Fid+8sXow
gaMGA1UdIwSBmzCBmIAUFrUyG9TH8+DmjvO90rA67rI5GNGhfaR7MHkxEDAOBgNV
BAoTB1Jvb3QgQ0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEiMCAG
A1UEAxMZQ0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJARYS
c3VwcG9ydEBjYWNlcnQub3JnggEAMA8GA1UdEwEB/wQFMAMBAf8wXQYIKwYBBQUH
AQEEUTBPMCMGCCsGAQUFBzABhhdodHRwOi8vb2NzcC5DQWNlcnQub3JnLzAoBggr
BgEFBQcwAoYcaHR0cDovL3d3dy5DQWNlcnQub3JnL2NhLmNydDBKBgNVHSAEQzBB
MD8GCCsGAQQBgZBKMDMwMQYIKwYBBQUHAgEWJWh0dHA6Ly93d3cuQ0FjZXJ0Lm9y
Zy9pbmRleC5waHA/aWQ9MTAwNAYJYIZIAYb4QgEIBCcWJWh0dHA6Ly93d3cuQ0Fj
ZXJ0Lm9yZy9pbmRleC5waHA/aWQ9MTAwUAYJYIZIAYb4QgENBEMWQVRvIGdldCB5
b3VyIG93biBjZXJ0aWZpY2F0ZSBmb3IgRlJFRSwgZ28gdG8gaHR0cDovL3d3dy5D
QWNlcnQub3JnMA0GCSqGSIb3DQEBCwUAA4ICAQApKIWuRKm5r6R5E/CooyuXYPNc
7uMvwfbiZqARrjY3OnYVBFPqQvX56sAV2KaC2eRhrnILKVyQQ+hBsuF32wITRHhH
Va9Y/MyY9kW50SD42CEH/m2qc9SzxgfpCYXMO/K2viwcJdVxjDm1Luq+GIG6sJO4
D+Pm1yaMMVpyA4RS5qb1MyJFCsgLDYq4Nm+QCaGrvdfVTi5xotSu+qdUK+s1jVq3
VIgv7nSf7UgWyg1I0JTTrKSi9iTfkuO960NAkW4cGI5WtIIS86mTn9S8nK2cde5a
lxuV53QtHA+wLJef+6kzOXrnAzqSjiL2jA3k2X4Ndhj3AfnvlpaiVXPAPHG0HRpW
Q7fDCo1y/OIQCQtBzoyUoPkD/XFzS4pXM+WOdH4VAQDmzEoc53+VGS3FpQyLu7Xt
hbNc09+4ufLKxw0BFKxwWMWMjTPUnWajGlCVI/xI4AZDEtnNp4Y5LzZyo4AQ5OHz
0ctbGsDkgJp8E3MGT9ujayQKurMcvEp4u+XjdTilSKeiHq921F73OIZWWonO1sOn
ebJSoMbxhbQljPI/lrMQ2Y1sVzufb4Y6GIIiNsiwkTjbKqGTqoQ/9SdlrnPVyNXT
d+pLncdBu8fA46A/5H2kjXPmEkvfoXNzczqA6NXLji/L6hOn1kGLrPo8idck9U60
4GGSt/M3mMS+lqO3ig==
-----END CERTIFICATE-----
Common Name: CAcert Class 3 Root
Subject Alternative Names:
Organization: CAcert Inc.
Organization Unit: http://www.CAcert.org
Locality:
State:
Country:
Valid From: May 23, 2011
Valid To: May 20, 2021
Issuer: CA Cert Signing Authority, Root CA
Key Size: 4096 bit
Serial Number: 672138 (0xa418a)

This is the full chain for the certificate that is working on api3.hubcontrols.com
(The more recent certificate that was not working seems to have been deleted.)

This is the full chain for the previous certificate on api3.hubcontrols.com? That is no longer working.

sam_smith · April 8, 2024, 1:55pm

Thank you for your reply. I have posted a more complete description of the problem that answers your questions.

sam_smith · April 8, 2024, 2:02pm

Yes that is correct. api3.hubcontrols.com and api4.hubcontrols.com are working at the moment.

sam_smith · April 8, 2024, 2:06pm

Thank you for your reply. I tried your solution but unfortunately it did not work. (See my more complete description of the problem in another reply)

sam_smith · April 8, 2024, 2:08pm

Thanks for replying to my post. I have Included those certs in my more complete description of the problem in another reply.

sam_smith · April 8, 2024, 2:10pm

Thanks for your reply. Apologies for any confusion. The two servers that are working at the moment are api3.hubcontrols.com and api4.hubcontrols.com.