rg305
September 30, 2021, 5:17pm
22
From what I can see:
curl -Iki design.aishowhouse.com
HTTP/1.1 308 Permanent Redirect
Server: openresty/1.15.8.1
it's running on openresty
which is based off nginx
[I personally don't use it but]
I would try looking for your vhost config file in
/etc/nginx/
Our client is getting errors when doing POST to that domain, and doing either post/get from postman (just to root domain) gives ssl expired error
rg305
September 30, 2021, 5:30pm
29
Port 25? 465? 587? 993?
I'm not psychic - help me out! - LOL
Sorry no specific port, so I guess it's 443 when SSL
rg305
September 30, 2021, 5:36pm
31
That is strange...
I do see the expected chain:
---
Certificate chain
0 s:/CN=www.cevaz.org
i:/C=US/O=Let's Encrypt/CN=R3
1 s:/C=US/O=Let's Encrypt/CN=R3
i:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
2 s:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
i:/O=Digital Signature Trust Co./CN=DST Root CA X3
---
Same as:
---
Certificate chain
0 s:/CN=community.letsencrypt.org
i:/C=US/O=Let's Encrypt/CN=R3
1 s:/C=US/O=Let's Encrypt/CN=R3
i:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
2 s:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
i:/O=Digital Signature Trust Co./CN=DST Root CA X3
---
Can you use Win7 Chrome 94 to get to (this site)?:
https://community.letsencyrpt.org/
rg305
September 30, 2021, 5:38pm
33
Windows builds that path for you - it isn't always what the server is sending.
You can't force it - your web server can offer it / suggest it.
But ultimately the client/software decides what it wants to do./build/see/use.
rg305
September 30, 2021, 5:39pm
34
You said "POST"
But I'm not sure if you mean "e-mail" or an HTML POST request.
I mean http post request. But if I just dk a GET to the domain in postman, no port defined, I get the error.
rg305
September 30, 2021, 5:52pm
36
I had to take this conversation out of that (way-too-long) topic.
1 Like
rg305
September 30, 2021, 5:53pm
37
emilnygaard:
I get the error.
Can you show a picture of the error?
Is there any detail in there?
Sorry, I was on my phone all last night. I really appreciate your help, so I'll try to include more and better info now!
Running:
openssl s_client -connect app.kreditdata.dk:443 -servername app.kreditdata.dk
I'm getting:
Certificate chain
0 s:CN = app.kreditdata.dk
i:C = US, O = Let's Encrypt, CN = R3
1 s:C = US, O = Let's Encrypt, CN = R3
i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1
i:O = Digital Signature Trust Co., CN = DST Root CA X3
So that could mean my chain still includes the old one, but in my ca-certificates.conf that cert is removed.
Trying in postman I get this, just trying a GET request on app.kreditdata.dk (no specified port):
Hi,
There is temporary workaround: Settings > General > SSL Certificate verification (disable it)
Postman is built on Electron, which is combination of Chromium (bits of Google Chrome) and NodeJS.
They have acknowledged the issue here:
opened 01:36PM - 04 Jun 20 UTC
closed 06:50PM - 06 Jun 20 UTC
bug
<!--
Please read through the [guidelines](https://github.com/postmanlabs/postma… n-app-support#guidelines-for-reporting-issues) before creating a new issue.
-->
**Describe the bug**
Certificates signed by Sectigo and trusted through USERTrust are reporting the error "Error: certificate has expired". This is related to https://www.namecheap.com/blog/sectigo-ssl-certificate-root-expiration-issue
In this case the operating system and browser select the correct chain but Postman appears to have its own chain validation and incorrectly fails on the first chain that expires.
**To Reproduce**
Steps to reproduce the behavior:
1. Go to HTTPS URL signed by Sectigo / USERTrust Chain - I can provide a URL for testing but did not want it public
2. Simply make a GET request
3. See error
**Expected behavior**
Trust Sectigo Chains Signed by USERTrust without having to bypass certificate verification.
**Screenshots**
![Postman](https://user-images.githubusercontent.com/34167105/83763456-54da5780-a63e-11ea-806a-eba4ff5af419.jpg)
![Postman_Console_and_Postman](https://user-images.githubusercontent.com/34167105/83763466-560b8480-a63e-11ea-8612-9b44d49278ac.jpg)
**App information (please complete the following information):**
- Postman MacOS and Windows
- Postman Versions 7.25.1 & 7.25.2 (only ones tested)
- OS: [e.g. MacOS 10.15.5, Windows 10]
**Additional context**
Very simple, just make an HTTPS call to any HTTPS site protected by Sectigo/USERTrust
And there is a fix in the works for the underlying BoringSSL library integration with Electron:
electron:main
← jviotti:enable-x509-trusted-first-flag
opened 06:00PM - 30 Sep 21 UTC
This flag is set by default on OpenSSL.
Fixes: https://github.com/electron/el… ectron/issues/31212
Signed-off-by: Juan Cruz Viotti <jv@jviotti.com>
- [x] PR description included and stakeholders cc'd
- [x] `npm test` passes
- [ ] tests are [changed or added](https://github.com/electron/electron/blob/main/docs/development/testing.md)
- [x] [PR release notes](https://github.com/electron/clerk/blob/master/README.md) describe the change in a way relevant to app developers, and are [capitalized, punctuated, and past tense](https://github.com/electron/clerk/blob/master/README.md#examples).
#### Release Notes
Notes: Fix Let's Encrypt DST Root CA X3 certificate expiration.
This is quite an interesting issue, given the prevalence of Electron for everything.
3 Likes
Aha - this is great information, thanks a lot!
So we're probably back to this being an issue on my clients end when they try to access our API.
2 Likes
rg305
October 1, 2021, 7:14am
41
@emilnygaard
If you aren't serving any older Android devices, you could choose the trust path that ends at the self-signed trusted root "ISRG Root X1".
1 Like
Another alternative if you need broad client support (especially for old android versions etc) is to switch CA (Zero SSL etc).
The current choice with Let's Encrypt means you can choose between two chains and they both have pros and cons.
My own preference for APIs is to run Cloudflare, which proxies and provides a provisioned cert in front but you also get basic analytics on API calls etc.
1 Like
I have the same problem! We are running an API within WordPress which connects our products to our licensing system. When I do the following GET request in Postman, I'm getting an cert expired error:
https://agency.enwikuna.de/wp-json/
But when I open the URL manually, everything is fine when checking the certificate. The SSL check also shows the correct chain.
When doing a request within WordPress (PHP), I'm also getting this error:
cURL error 60: SSL certificate problem: certificate has expired
Every customer has the problem as well! This has a huge impact on our products and system, and I don't see a fast solution here...
I took @webprofusion 's suggestion and popped Cloudflare in front of our endpoint. The certificate they provide does not include the expired cert, and works for us - at least for now
But we don't use Cloudflare on our page and we don't want to use it at all
1 Like
Alright, then the solution might be to get a new cert that doesn't use the old root in the chain, as far as I understand.
1 Like
Looks like the only solution for now... Thanks for your confirmation!