What is the issue happened yesterday regarding certificate expiry

bibudha · October 1, 2021, 9:03am

Hello

We are using lets encrypot for the SSL certificate. Today morning we get the not secured error almost every where. But in windows 10 chrome and in firefox its running fine. So what it do now ?

Do we need to do something on client PC or in server. Also our server is Ubuntu 16 with Vesta panel installed.

uzthegeek · October 1, 2021, 11:57am

I am facing the same issue all of my users reporting the same problem, a quick fix by the team appreciated this is happening after the recent google chrome browser update

Nummer378 · October 1, 2021, 2:19pm

Please read this first:

If you have any special questions then, feel free to ask.

rg305 · October 2, 2021, 4:48am

And welcome to the LE community forum
@bibudha

bibudha · October 2, 2021, 5:11am

Actually the SSL certificate used for the domain for sending mail as well. And my server is Ubuntu 16. So it says certificate expires

rg305 · October 2, 2021, 5:17am

@bibudha
So we can check further, which FQDN are those?
Also, what version of openssl is on your Ubuntu 16?
And what O/S, browsers, and mail clients are showing this certificate expiry problem?

bibudha · October 2, 2021, 5:34am

FQDN - mail.saramails.com
Screenshot by Lightshot
Actually its our own SMTP for mail server. In nodemailer we use its credentials to send mail and it throws error of certificate expired

rg305 · October 2, 2021, 5:44am

Well that was useless!
The Lightshot site showed me nothing - even after having to captcha through it twice.

Anyway...
Is the mail server also used via HTTPS (like for webmail)?

rg305 · October 2, 2021, 5:45am

Website looks good:

openssl s_client -connect mail.saramails.com:443 -servername mail.saramails.com
CONNECTED(00000005)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = mail.saramails.com
verify return:1
---
Certificate chain
 0 s:CN = mail.saramails.com
   i:C = US, O = Let's Encrypt, CN = R3
 1 s:C = US, O = Let's Encrypt, CN = R3
   i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
 2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1
   i:O = Digital Signature Trust Co., CN = DST Root CA X3
---

Port 25 looks good:

openssl s_client -connect mail.saramails.com:25 -starttls smtp
CONNECTED(0000019C)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify error:num=20:unable to get local issuer certificate
---
Certificate chain
 0 s:/CN=mail.saramails.com
   i:/C=US/O=Let's Encrypt/CN=R3
 1 s:/C=US/O=Let's Encrypt/CN=R3
   i:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
 2 s:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3
---

bibudha · October 2, 2021, 5:47am

openssl:
Installed: 1.0.2g-1ubuntu4.15
Candidate: 1.0.2g-1ubuntu4.15
Version table:
*** 1.0.2g-1ubuntu4.15 500
500 Index of /ubuntu/ xenial-updates/main amd64 Packages
500 Index of /ubuntu xenial-security/main amd64 Packages
100 /var/lib/dpkg/status
1.0.2g-1ubuntu4 500
500 Index of /ubuntu/ xenial/main amd64 Packages

The mail clients are mobile app and a custom mail client like webmail

rg305 · October 2, 2021, 5:48am

OpenSSL may need to be patched if it can't be upgraded,
See: Old Let’s Encrypt Root Certificate Expiration and OpenSSL 1.0.2 - OpenSSL Blog

bibudha · October 2, 2021, 5:51am

Ok will check. Thanks for the information hope it helps.

Here what is patched in particular ? Because in production server its difficult to update

rg305 · October 2, 2021, 5:51am

port 465 and 587 don't seem to be secured via TLS?
Where those secure before?

ports 993 and 995 are having some other trouble (possibly just blocked by firewall rule):

openssl s_client -connect mail.saramails.com:993
139914167185856:error:0200206F:system library:connect:Connection refused:../crypto/bio/b_sock2.c:110:
139914167185856:error:2008A067:BIO routines:BIO_connect:connect error:../crypto/bio/b_sock2.c:111:
connect:errno=111

openssl s_client -connect mail.saramails.com:995
139997128352192:error:0200206F:system library:connect:Connection refused:../crypto/bio/b_sock2.c:110:
139997128352192:error:2008A067:BIO routines:BIO_connect:connect error:../crypto/bio/b_sock2.c:111:
connect:errno=111

Did those ever work?

rg305 · October 2, 2021, 5:52am

It is not a long read.
The underlying GnuTLS libraries and mainly the trusted root store.

bibudha · October 2, 2021, 5:54am

yes port 465 and 587 doesn't secured by TLS. We send it through by making secure false option

rg305 · October 2, 2021, 5:56am

Wow!
If I may ask, Why (when you have a cert and can secure it)?

bibudha · October 2, 2021, 5:57am

haha...its a long story. Developer did some wrong interpretation about this.

bibudha · October 2, 2021, 6:31am

We are using Haraka (https://haraka.github.io/) as SMTP

and for TLS we use tls - Haraka SMTP Email Server

What is fullchain.pem in letsencrypt ?

rg305 · October 2, 2021, 6:37am

It's a file that contains the end-leaf cert and any necessary intermediates to completely tie the chain to a trusted root.
[in an easy to use .pem format - the way most software likes it]

system · November 1, 2021, 6:38am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Certificate Expiary issues Server	5	2382	July 31, 2016
False Let's Encrypt certificate expiration notice Help	3	932	September 18, 2019
Different expiration date for SSL certificate Help	3	1516	October 23, 2022
Domain ssl Expire Issue Help	3	85	May 18, 2025
SSL certificate Renewal mail	8	2039	June 13, 2016

What is the issue happened yesterday regarding certificate expiry

Related topics