[ejabberd] Ejabberd 21.07 - expired SSL cert?

Alex alexrhtc at gmail.com
Mon Oct 18 06:09:40 MSK 2021


Hi Jon,

When you say 'verify the old root is no longer installed' what do you mean?

I ended up wiping every trace of letsencrypt (all keys, certs etc) from my
server and issued a fresh cert and still have the same issue.

Did you mean removing it from the trust store on the server? If I look at
the store, i see the expired cert is still in it

---Certificate:
   Data:
       Version: 3 (0x2)
       Serial Number:
           44:af:b0:80:d6:a3:27:ba:89:30:39:86:2e:f8:40:6b
       Signature Algorithm: sha1WithRSAEncryption
       Issuer: O = Digital Signature Trust Co., CN = DST Root CA X3
       Validity
           Not Before: Sep 30 21:12:19 2000 GMT
           Not After : Sep 30 14:01:15 2021 GMT
       Subject: O = Digital Signature Trust Co., CN = DST Root CA X3
----


On Mon, Oct 18, 2021 at 1:55 PM Jonathan Siegle <jsiegle at gmail.com> wrote:

> I've seen this when both paths are legit but something in the chain is
> expired ( Sectigo did this the other year) and openssl or whatever library
> uses the wrong one. Verify the old root is no longer installed and the new
> one is. You may even have a hash collision.  I *think* that solves it?
>
> On Sun, Oct 17, 2021 at 10:16 PM Alex <alexrhtc at gmail.com> wrote:
>
>> I think I know whats happening here.
>>
>> Everything passes in Qualys, but check out this screenshot of the
>> certification paths:
>>
>> https://prnt.sc/1wk4lyy
>>
>> I suspect what is happening is that both certification paths fail for
>> Ejabberd because it doesnt recognise the "ISRG Root X1" certificate as
>> trusted for some reason, so it is trying the second path and finds an
>> expired root certificate.
>>
>> The ISRG Root X1 is listed in the ca_root_nss store on my server:
>> -----------
>>        Version: 3 (0x2)
>>        Serial Number:
>>            82:10:cf:b0:d2:40:e3:59:44:63:e0:bb:63:82:8b:00
>>        Signature Algorithm: sha256WithRSAEncryption
>>        Issuer: C = US, O = Internet Security Research Group, CN = ISRG
>> Root X1
>>        Validity
>>            Not Before: Jun  4 11:04:38 2015 GMT
>>            Not After : Jun  4 11:04:38 2035 GMT
>>        Subject: C = US, O = Internet Security Research Group, CN = ISRG
>> Root X1
>> -----------
>> I am unsure why Ejabberd has an issue with the first certification
>> path... Could it be due to key being 4096 bits instead of 2048?
>>
>>
>>
>>
>>
>> On Mon, Oct 18, 2021 at 12:39 PM Jonathan Siegle <jsiegle at gmail.com>
>> wrote:
>>
>>> Can you provide your -hash  -issuer_hash -dates output? Also, if you are
>>> convinced that the chain is good, then erlang/ejabberd may be looking at
>>> something different.  The doc claims that it was cross signed with a
>>> different root to live beyond September 2021.
>>>
>>> On Sun, Oct 17, 2021 at 9:04 PM Alex <alexrhtc at gmail.com> wrote:
>>>
>>>> I renewed my cert though and now have the updated trust chain with no
>>>> expired intermediate certificates.
>>>>
>>>> I use the exact same full chain PEM file also in Nginx, and Qualys SSL
>>>> tester would pick up issues like expired intermediates, everything passes
>>>> as valid with the tester - no chain issues. It couldn't possibly be the
>>>> cert chain itself.
>>>>
>>>>
>>>> On Mon, Oct 18, 2021 at 10:41 AM Evgeniy Khramtsov <xramtsov at gmail.com>
>>>> wrote:
>>>>
>>>>> This is not an error, that's because the issuer's certificate has
>>>>> expired at September 29.
>>>>>
>>>>> See
>>>>> https://community.letsencrypt.org/t/production-chain-changes/150739
>>>>>
>>>>> пн, 18 окт. 2021 г., 1:36 Alex <alexrhtc at gmail.com>:
>>>>>
>>>>>> Hi Tamer,
>>>>>>
>>>>>> On FreeBSD, I believe this is the ca_root_nss package. It is up to
>>>>>> date on my system.
>>>>>>
>>>>>> My cert bundle doesn't contain any expired certs so I can only assume
>>>>>> that this log warning from Ejabberd is erroneous.
>>>>>>
>>>>>>
>>>>>>
>>>>>> On Sun, Oct 17, 2021 at 8:27 PM Tamer Higazi <th982a at googlemail.com>
>>>>>> wrote:
>>>>>>
>>>>>>> Hi Alex,
>>>>>>>
>>>>>>> Try to update the CA list on FreeBSD.
>>>>>>> Same thing I had on my gentoo machine. don't know why ....
>>>>>>>
>>>>>>> best, Tamer
>>>>>>>
>>>>>>> Am 10/17/21 um 5:18 AM schrieb Alex:
>>>>>>> > Hi All,
>>>>>>> >
>>>>>>> > I am running Ejabberd 21.07 on FreeBSD.
>>>>>>> >
>>>>>>> > I am seeing a strange warning in my server logs, even after
>>>>>>> renewing
>>>>>>> > my certificate (CA is Letsencrypt)
>>>>>>> >
>>>>>>> > 2021-10-17 14:02:07.980333+11:00 [warning]
>>>>>>> > <0.295.0>@ejabberd_pkix:log_warnings/1:393 Invalid certificate in
>>>>>>> > /usr/local/etc/letsencrypt/live/mydomain.net-0001/fullchain.pem:
>>>>>>> at
>>>>>>> > line 65: certificate is no longer valid as its expiration date has
>>>>>>> passed
>>>>>>> >
>>>>>>> > I am aware that Letsencrypt did recently have an expired
>>>>>>> intermediate
>>>>>>> > (R3) however I believe my cert bundle is currently fine as I
>>>>>>> renewed
>>>>>>> > it - my web server uses the same pem and it scores an A+ on the
>>>>>>> qualys
>>>>>>> > ssl tester with no chain/trust issues.
>>>>>>> >
>>>>>>> > When I look at the cert that Ejabberd is complaining about on line
>>>>>>> 65
>>>>>>> > using openssl x509, it shows:
>>>>>>> >
>>>>>>> >   Certificate:
>>>>>>> >     Data:
>>>>>>> >         Version: 3 (0x2)
>>>>>>> >         Serial Number:
>>>>>>> >             40:01:77:21:37:d4:e9:42:b8:ee:76:aa:3c:64:0a:b7
>>>>>>> >         Signature Algorithm: sha256WithRSAEncryption
>>>>>>> >         Issuer: O = Digital Signature Trust Co., CN = DST Root CA
>>>>>>> X3
>>>>>>> >         Validity
>>>>>>> >             Not Before: Jan 20 19:14:03 2021 GMT
>>>>>>> >             Not After : Sep 30 18:14:03 2024 GMT
>>>>>>> >         Subject: C = US, O = Internet Security Research Group, CN
>>>>>>> =
>>>>>>> > ISRG Root X1
>>>>>>> >
>>>>>>> > 2024... It is certainly NOT expired, Is this an erroneous log
>>>>>>> message?
>>>>>>> > A client who connects using the Pidgin XMPP client is reporting
>>>>>>> they
>>>>>>> > get an invalid cert error when connecting, but I have no issues
>>>>>>> > connecting using the same client (I am on Linux, however the
>>>>>>> person
>>>>>>> > with the issue is on Windows).
>>>>>>> >
>>>>>>> > Thanks!
>>>>>>> > A.
>>>>>>> >
>>>>>>> >
>>>>>>> >
>>>>>>> > _______________________________________________
>>>>>>> > ejabberd mailing list
>>>>>>> > ejabberd at jabber.ru
>>>>>>> > http://lists.jabber.ru/mailman/listinfo/ejabberd
>>>>>>> _______________________________________________
>>>>>>> ejabberd mailing list
>>>>>>> ejabberd at jabber.ru
>>>>>>> http://lists.jabber.ru/mailman/listinfo/ejabberd
>>>>>>>
>>>>>> _______________________________________________
>>>>>> ejabberd mailing list
>>>>>> ejabberd at jabber.ru
>>>>>> http://lists.jabber.ru/mailman/listinfo/ejabberd
>>>>>>
>>>>> _______________________________________________
>>>>> ejabberd mailing list
>>>>> ejabberd at jabber.ru
>>>>> http://lists.jabber.ru/mailman/listinfo/ejabberd
>>>>>
>>>> _______________________________________________
>>>> ejabberd mailing list
>>>> ejabberd at jabber.ru
>>>> http://lists.jabber.ru/mailman/listinfo/ejabberd
>>>>
>>> _______________________________________________
>>> ejabberd mailing list
>>> ejabberd at jabber.ru
>>> http://lists.jabber.ru/mailman/listinfo/ejabberd
>>>
>> _______________________________________________
>> ejabberd mailing list
>> ejabberd at jabber.ru
>> http://lists.jabber.ru/mailman/listinfo/ejabberd
>>
> _______________________________________________
> ejabberd mailing list
> ejabberd at jabber.ru
> http://lists.jabber.ru/mailman/listinfo/ejabberd
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.jabber.ru/pipermail/ejabberd/attachments/20211018/4686ef82/attachment-0001.htm>


More information about the ejabberd mailing list