[ejabberd] Ejabberd 21.07 - expired SSL cert?

Jonathan Siegle jsiegle at gmail.com
Mon Oct 18 04:39:04 MSK 2021


Can you provide your -hash  -issuer_hash -dates output? Also, if you are
convinced that the chain is good, then erlang/ejabberd may be looking at
something different.  The doc claims that it was cross signed with a
different root to live beyond September 2021.

On Sun, Oct 17, 2021 at 9:04 PM Alex <alexrhtc at gmail.com> wrote:

> I renewed my cert though and now have the updated trust chain with no
> expired intermediate certificates.
>
> I use the exact same full chain PEM file also in Nginx, and Qualys SSL
> tester would pick up issues like expired intermediates, everything passes
> as valid with the tester - no chain issues. It couldn't possibly be the
> cert chain itself.
>
>
> On Mon, Oct 18, 2021 at 10:41 AM Evgeniy Khramtsov <xramtsov at gmail.com>
> wrote:
>
>> This is not an error, that's because the issuer's certificate has expired
>> at September 29.
>>
>> See https://community.letsencrypt.org/t/production-chain-changes/150739
>>
>> пн, 18 окт. 2021 г., 1:36 Alex <alexrhtc at gmail.com>:
>>
>>> Hi Tamer,
>>>
>>> On FreeBSD, I believe this is the ca_root_nss package. It is up to date
>>> on my system.
>>>
>>> My cert bundle doesn't contain any expired certs so I can only assume
>>> that this log warning from Ejabberd is erroneous.
>>>
>>>
>>>
>>> On Sun, Oct 17, 2021 at 8:27 PM Tamer Higazi <th982a at googlemail.com>
>>> wrote:
>>>
>>>> Hi Alex,
>>>>
>>>> Try to update the CA list on FreeBSD.
>>>> Same thing I had on my gentoo machine. don't know why ....
>>>>
>>>> best, Tamer
>>>>
>>>> Am 10/17/21 um 5:18 AM schrieb Alex:
>>>> > Hi All,
>>>> >
>>>> > I am running Ejabberd 21.07 on FreeBSD.
>>>> >
>>>> > I am seeing a strange warning in my server logs, even after renewing
>>>> > my certificate (CA is Letsencrypt)
>>>> >
>>>> > 2021-10-17 14:02:07.980333+11:00 [warning]
>>>> > <0.295.0>@ejabberd_pkix:log_warnings/1:393 Invalid certificate in
>>>> > /usr/local/etc/letsencrypt/live/mydomain.net-0001/fullchain.pem: at
>>>> > line 65: certificate is no longer valid as its expiration date has
>>>> passed
>>>> >
>>>> > I am aware that Letsencrypt did recently have an expired intermediate
>>>> > (R3) however I believe my cert bundle is currently fine as I renewed
>>>> > it - my web server uses the same pem and it scores an A+ on the
>>>> qualys
>>>> > ssl tester with no chain/trust issues.
>>>> >
>>>> > When I look at the cert that Ejabberd is complaining about on line 65
>>>> > using openssl x509, it shows:
>>>> >
>>>> >   Certificate:
>>>> >     Data:
>>>> >         Version: 3 (0x2)
>>>> >         Serial Number:
>>>> >             40:01:77:21:37:d4:e9:42:b8:ee:76:aa:3c:64:0a:b7
>>>> >         Signature Algorithm: sha256WithRSAEncryption
>>>> >         Issuer: O = Digital Signature Trust Co., CN = DST Root CA X3
>>>> >         Validity
>>>> >             Not Before: Jan 20 19:14:03 2021 GMT
>>>> >             Not After : Sep 30 18:14:03 2024 GMT
>>>> >         Subject: C = US, O = Internet Security Research Group, CN =
>>>> > ISRG Root X1
>>>> >
>>>> > 2024... It is certainly NOT expired, Is this an erroneous log
>>>> message?
>>>> > A client who connects using the Pidgin XMPP client is reporting they
>>>> > get an invalid cert error when connecting, but I have no issues
>>>> > connecting using the same client (I am on Linux, however the person
>>>> > with the issue is on Windows).
>>>> >
>>>> > Thanks!
>>>> > A.
>>>> >
>>>> >
>>>> >
>>>> > _______________________________________________
>>>> > ejabberd mailing list
>>>> > ejabberd at jabber.ru
>>>> > http://lists.jabber.ru/mailman/listinfo/ejabberd
>>>> _______________________________________________
>>>> ejabberd mailing list
>>>> ejabberd at jabber.ru
>>>> http://lists.jabber.ru/mailman/listinfo/ejabberd
>>>>
>>> _______________________________________________
>>> ejabberd mailing list
>>> ejabberd at jabber.ru
>>> http://lists.jabber.ru/mailman/listinfo/ejabberd
>>>
>> _______________________________________________
>> ejabberd mailing list
>> ejabberd at jabber.ru
>> http://lists.jabber.ru/mailman/listinfo/ejabberd
>>
> _______________________________________________
> ejabberd mailing list
> ejabberd at jabber.ru
> http://lists.jabber.ru/mailman/listinfo/ejabberd
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.jabber.ru/pipermail/ejabberd/attachments/20211017/d0df435d/attachment.htm>


More information about the ejabberd mailing list