[ejabberd] Ejabberd 21.07 - expired SSL cert?

Jonathan Siegle jsiegle at gmail.com
Mon Oct 18 05:54:09 MSK 2021


I've seen this when both paths are legit but something in the chain is
expired ( Sectigo did this the other year) and openssl or whatever library
uses the wrong one. Verify the old root is no longer installed and the new
one is. You may even have a hash collision.  I *think* that solves it?

On Sun, Oct 17, 2021 at 10:16 PM Alex <alexrhtc at gmail.com> wrote:

> I think I know whats happening here.
>
> Everything passes in Qualys, but check out this screenshot of the
> certification paths:
>
> https://prnt.sc/1wk4lyy
>
> I suspect what is happening is that both certification paths fail for
> Ejabberd because it doesnt recognise the "ISRG Root X1" certificate as
> trusted for some reason, so it is trying the second path and finds an
> expired root certificate.
>
> The ISRG Root X1 is listed in the ca_root_nss store on my server:
> -----------
>        Version: 3 (0x2)
>        Serial Number:
>            82:10:cf:b0:d2:40:e3:59:44:63:e0:bb:63:82:8b:00
>        Signature Algorithm: sha256WithRSAEncryption
>        Issuer: C = US, O = Internet Security Research Group, CN = ISRG
> Root X1
>        Validity
>            Not Before: Jun  4 11:04:38 2015 GMT
>            Not After : Jun  4 11:04:38 2035 GMT
>        Subject: C = US, O = Internet Security Research Group, CN = ISRG
> Root X1
> -----------
> I am unsure why Ejabberd has an issue with the first certification path...
> Could it be due to key being 4096 bits instead of 2048?
>
>
>
>
>
> On Mon, Oct 18, 2021 at 12:39 PM Jonathan Siegle <jsiegle at gmail.com>
> wrote:
>
>> Can you provide your -hash  -issuer_hash -dates output? Also, if you are
>> convinced that the chain is good, then erlang/ejabberd may be looking at
>> something different.  The doc claims that it was cross signed with a
>> different root to live beyond September 2021.
>>
>> On Sun, Oct 17, 2021 at 9:04 PM Alex <alexrhtc at gmail.com> wrote:
>>
>>> I renewed my cert though and now have the updated trust chain with no
>>> expired intermediate certificates.
>>>
>>> I use the exact same full chain PEM file also in Nginx, and Qualys SSL
>>> tester would pick up issues like expired intermediates, everything passes
>>> as valid with the tester - no chain issues. It couldn't possibly be the
>>> cert chain itself.
>>>
>>>
>>> On Mon, Oct 18, 2021 at 10:41 AM Evgeniy Khramtsov <xramtsov at gmail.com>
>>> wrote:
>>>
>>>> This is not an error, that's because the issuer's certificate has
>>>> expired at September 29.
>>>>
>>>> See https://community.letsencrypt.org/t/production-chain-changes/150739
>>>>
>>>> пн, 18 окт. 2021 г., 1:36 Alex <alexrhtc at gmail.com>:
>>>>
>>>>> Hi Tamer,
>>>>>
>>>>> On FreeBSD, I believe this is the ca_root_nss package. It is up to
>>>>> date on my system.
>>>>>
>>>>> My cert bundle doesn't contain any expired certs so I can only assume
>>>>> that this log warning from Ejabberd is erroneous.
>>>>>
>>>>>
>>>>>
>>>>> On Sun, Oct 17, 2021 at 8:27 PM Tamer Higazi <th982a at googlemail.com>
>>>>> wrote:
>>>>>
>>>>>> Hi Alex,
>>>>>>
>>>>>> Try to update the CA list on FreeBSD.
>>>>>> Same thing I had on my gentoo machine. don't know why ....
>>>>>>
>>>>>> best, Tamer
>>>>>>
>>>>>> Am 10/17/21 um 5:18 AM schrieb Alex:
>>>>>> > Hi All,
>>>>>> >
>>>>>> > I am running Ejabberd 21.07 on FreeBSD.
>>>>>> >
>>>>>> > I am seeing a strange warning in my server logs, even after
>>>>>> renewing
>>>>>> > my certificate (CA is Letsencrypt)
>>>>>> >
>>>>>> > 2021-10-17 14:02:07.980333+11:00 [warning]
>>>>>> > <0.295.0>@ejabberd_pkix:log_warnings/1:393 Invalid certificate in
>>>>>> > /usr/local/etc/letsencrypt/live/mydomain.net-0001/fullchain.pem: at
>>>>>> > line 65: certificate is no longer valid as its expiration date has
>>>>>> passed
>>>>>> >
>>>>>> > I am aware that Letsencrypt did recently have an expired
>>>>>> intermediate
>>>>>> > (R3) however I believe my cert bundle is currently fine as I
>>>>>> renewed
>>>>>> > it - my web server uses the same pem and it scores an A+ on the
>>>>>> qualys
>>>>>> > ssl tester with no chain/trust issues.
>>>>>> >
>>>>>> > When I look at the cert that Ejabberd is complaining about on line
>>>>>> 65
>>>>>> > using openssl x509, it shows:
>>>>>> >
>>>>>> >   Certificate:
>>>>>> >     Data:
>>>>>> >         Version: 3 (0x2)
>>>>>> >         Serial Number:
>>>>>> >             40:01:77:21:37:d4:e9:42:b8:ee:76:aa:3c:64:0a:b7
>>>>>> >         Signature Algorithm: sha256WithRSAEncryption
>>>>>> >         Issuer: O = Digital Signature Trust Co., CN = DST Root CA X3
>>>>>> >         Validity
>>>>>> >             Not Before: Jan 20 19:14:03 2021 GMT
>>>>>> >             Not After : Sep 30 18:14:03 2024 GMT
>>>>>> >         Subject: C = US, O = Internet Security Research Group, CN =
>>>>>> > ISRG Root X1
>>>>>> >
>>>>>> > 2024... It is certainly NOT expired, Is this an erroneous log
>>>>>> message?
>>>>>> > A client who connects using the Pidgin XMPP client is reporting
>>>>>> they
>>>>>> > get an invalid cert error when connecting, but I have no issues
>>>>>> > connecting using the same client (I am on Linux, however the person
>>>>>> > with the issue is on Windows).
>>>>>> >
>>>>>> > Thanks!
>>>>>> > A.
>>>>>> >
>>>>>> >
>>>>>> >
>>>>>> > _______________________________________________
>>>>>> > ejabberd mailing list
>>>>>> > ejabberd at jabber.ru
>>>>>> > http://lists.jabber.ru/mailman/listinfo/ejabberd
>>>>>> _______________________________________________
>>>>>> ejabberd mailing list
>>>>>> ejabberd at jabber.ru
>>>>>> http://lists.jabber.ru/mailman/listinfo/ejabberd
>>>>>>
>>>>> _______________________________________________
>>>>> ejabberd mailing list
>>>>> ejabberd at jabber.ru
>>>>> http://lists.jabber.ru/mailman/listinfo/ejabberd
>>>>>
>>>> _______________________________________________
>>>> ejabberd mailing list
>>>> ejabberd at jabber.ru
>>>> http://lists.jabber.ru/mailman/listinfo/ejabberd
>>>>
>>> _______________________________________________
>>> ejabberd mailing list
>>> ejabberd at jabber.ru
>>> http://lists.jabber.ru/mailman/listinfo/ejabberd
>>>
>> _______________________________________________
>> ejabberd mailing list
>> ejabberd at jabber.ru
>> http://lists.jabber.ru/mailman/listinfo/ejabberd
>>
> _______________________________________________
> ejabberd mailing list
> ejabberd at jabber.ru
> http://lists.jabber.ru/mailman/listinfo/ejabberd
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.jabber.ru/pipermail/ejabberd/attachments/20211017/06b3baba/attachment.htm>


More information about the ejabberd mailing list