Can't HTTP POST - SSL error

rg305 · September 30, 2021, 5:52pm

I had to take this conversation out of that (way-too-long) topic.

rg305 · September 30, 2021, 5:53pm

Can you show a picture of the error?
Is there any detail in there?

emilnygaard · October 1, 2021, 6:57am

Sorry, I was on my phone all last night. I really appreciate your help, so I'll try to include more and better info now!

Running:

openssl s_client -connect app.kreditdata.dk:443 -servername app.kreditdata.dk

I'm getting:

Certificate chain
 0 s:CN = app.kreditdata.dk
   i:C = US, O = Let's Encrypt, CN = R3
 1 s:C = US, O = Let's Encrypt, CN = R3
   i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
 2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1
   i:O = Digital Signature Trust Co., CN = DST Root CA X3

So that could mean my chain still includes the old one, but in my ca-certificates.conf that cert is removed.
Trying in postman I get this, just trying a GET request on app.kreditdata.dk (no specified port):

webprofusion · October 1, 2021, 7:04am

Hi,

There is temporary workaround: Settings > General > SSL Certificate verification (disable it)

Postman is built on Electron, which is combination of Chromium (bits of Google Chrome) and NodeJS.

They have acknowledged the issue here:

github.com/postmanlabs/postman-app-support

Postman Reports Certificate Expired for Sectigo Chains

opened 01:36PM - 04 Jun 20 UTC

closed 06:50PM - 06 Jun 20 UTC

dcatpegs

bug

**Describe the bug** Certificates signed by Sectigo and trusted through USERTrust are reporting the error "Error: certificate has expired". This is related to https://www.namecheap.com/blog/sectigo-ssl-certificate-root-expiration-issue In this case the operating system and browser select the correct chain but Postman appears to have its own chain validation and incorrectly fails on the first chain that expires. **To Reproduce** Steps to reproduce the behavior: 1. Go to HTTPS URL signed by Sectigo / USERTrust Chain - I can provide a URL for testing but did not want it public 2. Simply make a GET request 3. See error **Expected behavior** Trust Sectigo Chains Signed by USERTrust without having to bypass certificate verification. **Screenshots** ![Postman](https://user-images.githubusercontent.com/34167105/83763456-54da5780-a63e-11ea-806a-eba4ff5af419.jpg) ![Postman_Console_and_Postman](https://user-images.githubusercontent.com/34167105/83763466-560b8480-a63e-11ea-8612-9b44d49278ac.jpg) **App information (please complete the following information):** - Postman MacOS and Windows - Postman Versions 7.25.1 & 7.25.2 (only ones tested) - OS: [e.g. MacOS 10.15.5, Windows 10] **Additional context** Very simple, just make an HTTPS call to any HTTPS site protected by Sectigo/USERTrust

And there is a fix in the works for the underlying BoringSSL library integration with Electron:

github.com/electron/electron

fix: Enable X509_V_FLAG_TRUSTED_FIRST flag in BoringSSL

electron:main ← jviotti:enable-x509-trusted-first-flag

opened 06:00PM - 30 Sep 21 UTC

jviotti

+21 -0

This flag is set by default on OpenSSL. Fixes: https://github.com/electron/el…ectron/issues/31212 Signed-off-by: Juan Cruz Viotti <jv@jviotti.com> - [x] PR description included and stakeholders cc'd - [x] `npm test` passes - [ ] tests are [changed or added](https://github.com/electron/electron/blob/main/docs/development/testing.md) - [x] [PR release notes](https://github.com/electron/clerk/blob/master/README.md) describe the change in a way relevant to app developers, and are [capitalized, punctuated, and past tense](https://github.com/electron/clerk/blob/master/README.md#examples). #### Release Notes Notes: Fix Let's Encrypt DST Root CA X3 certificate expiration.

This is quite an interesting issue, given the prevalence of Electron for everything.

emilnygaard · October 1, 2021, 7:07am

Aha - this is great information, thanks a lot!
So we're probably back to this being an issue on my clients end when they try to access our API.

rg305 · October 1, 2021, 7:14am

@emilnygaard
If you aren't serving any older Android devices, you could choose the trust path that ends at the self-signed trusted root "ISRG Root X1".

webprofusion · October 1, 2021, 7:21am

Another alternative if you need broad client support (especially for old android versions etc) is to switch CA (Zero SSL etc).

The current choice with Let's Encrypt means you can choose between two chains and they both have pros and cons.

My own preference for APIs is to run Cloudflare, which proxies and provides a provisioned cert in front but you also get basic analytics on API calls etc.

Johnny99211 · October 1, 2021, 7:29am

I have the same problem! We are running an API within WordPress which connects our products to our licensing system. When I do the following GET request in Postman, I'm getting an cert expired error:

https://agency.enwikuna.de/wp-json/

But when I open the URL manually, everything is fine when checking the certificate. The SSL check also shows the correct chain.

When doing a request within WordPress (PHP), I'm also getting this error:

cURL error 60: SSL certificate problem: certificate has expired

Every customer has the problem as well! This has a huge impact on our products and system, and I don't see a fast solution here...

emilnygaard · October 1, 2021, 7:33am

I took @webprofusion's suggestion and popped Cloudflare in front of our endpoint. The certificate they provide does not include the expired cert, and works for us - at least for now

Johnny99211 · October 1, 2021, 7:34am

But we don't use Cloudflare on our page and we don't want to use it at all

emilnygaard · October 1, 2021, 7:39am

Alright, then the solution might be to get a new cert that doesn't use the old root in the chain, as far as I understand.

Johnny99211 · October 1, 2021, 7:40am

Looks like the only solution for now... Thanks for your confirmation!

webprofusion · October 1, 2021, 8:07am

When you switch your system to the shorter ISRG Root X1 chain your clients will also need to have ISRG Root X1 in whichever ca bundle curl within PHP uses, you should try it out on test system. An alternative is to switch to a different CA for your certificate.

rg305 · October 1, 2021, 9:10am

@Johnny99211, I would try switching the chain from "DST Root CA X3" to the self-signed "ISRG Root X1"

Johnny99211 · October 1, 2021, 9:26am

How can I do this within plesk?

rg305 · October 1, 2021, 9:30am

@Johnny99211, sorry I've just spent quite a bit of time trying to figure out Plesk - total fail
There should be a way.
I would go on their forum or site and or search the web for info on how to obtain a cert chained from the alternate trust path or how to get a cert form any other FREE CA (that uses ACME client).

If you do find a solution/workaround, please post it back here for others to find/use as well.

Johnny99211 · October 1, 2021, 10:32am

I don't have the time for some try outs... I'll trash my LetsEncrypt certs and buy a regular one. Hopefully they are fixed next year

rg305 · October 1, 2021, 10:40am

There are also a couple of other FREE CAs - not as good as this one - but FREE.

system · October 31, 2021, 10:40am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.