[ejabberd] Ejabberd 21.07 - expired SSL cert?

Alex alexrhtc at gmail.com
Mon Oct 18 09:09:36 MSK 2021


I think that warning in the log is a red herring in my case. I used openssl
s_client to connect to my ejabberd server and the correct certificate chain
is getting sent by the ejabberd server. So as long as the client software
that is connecting isnt braindead, it should be ok hopefully. The end user
that was having trouble via pidgin on windows was able to fix it by
updating pidgin (had an old version).



On Mon, Oct 18, 2021 at 2:18 PM Jonathan Siegle <jsiegle at gmail.com> wrote:

> Yeah, there is no reason to keep an expired root. Is there? Wherever it is
> now, make sure the new one is also installed and remove the expired one.
> You may have to run c_rehash or just build the hash links if those are
> needed. I'm going to sleep now. Good luck!
>
> On Sun, Oct 17, 2021 at 11:10 PM Alex <alexrhtc at gmail.com> wrote:
>
>> Hi Jon,
>>
>> When you say 'verify the old root is no longer installed' what do you
>> mean?
>>
>> I ended up wiping every trace of letsencrypt (all keys, certs etc) from
>> my server and issued a fresh cert and still have the same issue.
>>
>> Did you mean removing it from the trust store on the server? If I look at
>> the store, i see the expired cert is still in it
>>
>> ---Certificate:
>>    Data:
>>        Version: 3 (0x2)
>>        Serial Number:
>>            44:af:b0:80:d6:a3:27:ba:89:30:39:86:2e:f8:40:6b
>>        Signature Algorithm: sha1WithRSAEncryption
>>        Issuer: O = Digital Signature Trust Co., CN = DST Root CA X3
>>        Validity
>>            Not Before: Sep 30 21:12:19 2000 GMT
>>            Not After : Sep 30 14:01:15 2021 GMT
>>        Subject: O = Digital Signature Trust Co., CN = DST Root CA X3
>> ----
>>
>>
>> On Mon, Oct 18, 2021 at 1:55 PM Jonathan Siegle <jsiegle at gmail.com>
>> wrote:
>>
>>> I've seen this when both paths are legit but something in the chain is
>>> expired ( Sectigo did this the other year) and openssl or whatever library
>>> uses the wrong one. Verify the old root is no longer installed and the new
>>> one is. You may even have a hash collision.  I *think* that solves it?
>>>
>>> On Sun, Oct 17, 2021 at 10:16 PM Alex <alexrhtc at gmail.com> wrote:
>>>
>>>> I think I know whats happening here.
>>>>
>>>> Everything passes in Qualys, but check out this screenshot of the
>>>> certification paths:
>>>>
>>>> https://prnt.sc/1wk4lyy
>>>>
>>>> I suspect what is happening is that both certification paths fail for
>>>> Ejabberd because it doesnt recognise the "ISRG Root X1" certificate as
>>>> trusted for some reason, so it is trying the second path and finds an
>>>> expired root certificate.
>>>>
>>>> The ISRG Root X1 is listed in the ca_root_nss store on my server:
>>>> -----------
>>>>        Version: 3 (0x2)
>>>>        Serial Number:
>>>>            82:10:cf:b0:d2:40:e3:59:44:63:e0:bb:63:82:8b:00
>>>>        Signature Algorithm: sha256WithRSAEncryption
>>>>        Issuer: C = US, O = Internet Security Research Group, CN = ISRG
>>>> Root X1
>>>>        Validity
>>>>            Not Before: Jun  4 11:04:38 2015 GMT
>>>>            Not After : Jun  4 11:04:38 2035 GMT
>>>>        Subject: C = US, O = Internet Security Research Group, CN = ISRG
>>>> Root X1
>>>> -----------
>>>> I am unsure why Ejabberd has an issue with the first certification
>>>> path... Could it be due to key being 4096 bits instead of 2048?
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> On Mon, Oct 18, 2021 at 12:39 PM Jonathan Siegle <jsiegle at gmail.com>
>>>> wrote:
>>>>
>>>>> Can you provide your -hash  -issuer_hash -dates output? Also, if you
>>>>> are convinced that the chain is good, then erlang/ejabberd may be looking
>>>>> at something different.  The doc claims that it was cross signed with a
>>>>> different root to live beyond September 2021.
>>>>>
>>>>> On Sun, Oct 17, 2021 at 9:04 PM Alex <alexrhtc at gmail.com> wrote:
>>>>>
>>>>>> I renewed my cert though and now have the updated trust chain with no
>>>>>> expired intermediate certificates.
>>>>>>
>>>>>> I use the exact same full chain PEM file also in Nginx, and Qualys
>>>>>> SSL tester would pick up issues like expired intermediates, everything
>>>>>> passes as valid with the tester - no chain issues. It couldn't possibly be
>>>>>> the cert chain itself.
>>>>>>
>>>>>>
>>>>>> On Mon, Oct 18, 2021 at 10:41 AM Evgeniy Khramtsov <
>>>>>> xramtsov at gmail.com> wrote:
>>>>>>
>>>>>>> This is not an error, that's because the issuer's certificate has
>>>>>>> expired at September 29.
>>>>>>>
>>>>>>> See
>>>>>>> https://community.letsencrypt.org/t/production-chain-changes/150739
>>>>>>>
>>>>>>> пн, 18 окт. 2021 г., 1:36 Alex <alexrhtc at gmail.com>:
>>>>>>>
>>>>>>>> Hi Tamer,
>>>>>>>>
>>>>>>>> On FreeBSD, I believe this is the ca_root_nss package. It is up to
>>>>>>>> date on my system.
>>>>>>>>
>>>>>>>> My cert bundle doesn't contain any expired certs so I can only
>>>>>>>> assume that this log warning from Ejabberd is erroneous.
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> On Sun, Oct 17, 2021 at 8:27 PM Tamer Higazi <th982a at googlemail.com>
>>>>>>>> wrote:
>>>>>>>>
>>>>>>>>> Hi Alex,
>>>>>>>>>
>>>>>>>>> Try to update the CA list on FreeBSD.
>>>>>>>>> Same thing I had on my gentoo machine. don't know why ....
>>>>>>>>>
>>>>>>>>> best, Tamer
>>>>>>>>>
>>>>>>>>> Am 10/17/21 um 5:18 AM schrieb Alex:
>>>>>>>>> > Hi All,
>>>>>>>>> >
>>>>>>>>> > I am running Ejabberd 21.07 on FreeBSD.
>>>>>>>>> >
>>>>>>>>> > I am seeing a strange warning in my server logs, even after
>>>>>>>>> renewing
>>>>>>>>> > my certificate (CA is Letsencrypt)
>>>>>>>>> >
>>>>>>>>> > 2021-10-17 14:02:07.980333+11:00 [warning]
>>>>>>>>> > <0.295.0>@ejabberd_pkix:log_warnings/1:393 Invalid certificate
>>>>>>>>> in
>>>>>>>>> > /usr/local/etc/letsencrypt/live/mydomain.net-0001/fullchain.pem:
>>>>>>>>> at
>>>>>>>>> > line 65: certificate is no longer valid as its expiration date
>>>>>>>>> has passed
>>>>>>>>> >
>>>>>>>>> > I am aware that Letsencrypt did recently have an expired
>>>>>>>>> intermediate
>>>>>>>>> > (R3) however I believe my cert bundle is currently fine as I
>>>>>>>>> renewed
>>>>>>>>> > it - my web server uses the same pem and it scores an A+ on the
>>>>>>>>> qualys
>>>>>>>>> > ssl tester with no chain/trust issues.
>>>>>>>>> >
>>>>>>>>> > When I look at the cert that Ejabberd is complaining about on
>>>>>>>>> line 65
>>>>>>>>> > using openssl x509, it shows:
>>>>>>>>> >
>>>>>>>>> >   Certificate:
>>>>>>>>> >     Data:
>>>>>>>>> >         Version: 3 (0x2)
>>>>>>>>> >         Serial Number:
>>>>>>>>> >             40:01:77:21:37:d4:e9:42:b8:ee:76:aa:3c:64:0a:b7
>>>>>>>>> >         Signature Algorithm: sha256WithRSAEncryption
>>>>>>>>> >         Issuer: O = Digital Signature Trust Co., CN = DST Root
>>>>>>>>> CA X3
>>>>>>>>> >         Validity
>>>>>>>>> >             Not Before: Jan 20 19:14:03 2021 GMT
>>>>>>>>> >             Not After : Sep 30 18:14:03 2024 GMT
>>>>>>>>> >         Subject: C = US, O = Internet Security Research Group,
>>>>>>>>> CN =
>>>>>>>>> > ISRG Root X1
>>>>>>>>> >
>>>>>>>>> > 2024... It is certainly NOT expired, Is this an erroneous log
>>>>>>>>> message?
>>>>>>>>> > A client who connects using the Pidgin XMPP client is reporting
>>>>>>>>> they
>>>>>>>>> > get an invalid cert error when connecting, but I have no issues
>>>>>>>>> > connecting using the same client (I am on Linux, however the
>>>>>>>>> person
>>>>>>>>> > with the issue is on Windows).
>>>>>>>>> >
>>>>>>>>> > Thanks!
>>>>>>>>> > A.
>>>>>>>>> >
>>>>>>>>> >
>>>>>>>>> >
>>>>>>>>> > _______________________________________________
>>>>>>>>> > ejabberd mailing list
>>>>>>>>> > ejabberd at jabber.ru
>>>>>>>>> > http://lists.jabber.ru/mailman/listinfo/ejabberd
>>>>>>>>> _______________________________________________
>>>>>>>>> ejabberd mailing list
>>>>>>>>> ejabberd at jabber.ru
>>>>>>>>> http://lists.jabber.ru/mailman/listinfo/ejabberd
>>>>>>>>>
>>>>>>>> _______________________________________________
>>>>>>>> ejabberd mailing list
>>>>>>>> ejabberd at jabber.ru
>>>>>>>> http://lists.jabber.ru/mailman/listinfo/ejabberd
>>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> ejabberd mailing list
>>>>>>> ejabberd at jabber.ru
>>>>>>> http://lists.jabber.ru/mailman/listinfo/ejabberd
>>>>>>>
>>>>>> _______________________________________________
>>>>>> ejabberd mailing list
>>>>>> ejabberd at jabber.ru
>>>>>> http://lists.jabber.ru/mailman/listinfo/ejabberd
>>>>>>
>>>>> _______________________________________________
>>>>> ejabberd mailing list
>>>>> ejabberd at jabber.ru
>>>>> http://lists.jabber.ru/mailman/listinfo/ejabberd
>>>>>
>>>> _______________________________________________
>>>> ejabberd mailing list
>>>> ejabberd at jabber.ru
>>>> http://lists.jabber.ru/mailman/listinfo/ejabberd
>>>>
>>> _______________________________________________
>>> ejabberd mailing list
>>> ejabberd at jabber.ru
>>> http://lists.jabber.ru/mailman/listinfo/ejabberd
>>>
>> _______________________________________________
>> ejabberd mailing list
>> ejabberd at jabber.ru
>> http://lists.jabber.ru/mailman/listinfo/ejabberd
>>
> _______________________________________________
> ejabberd mailing list
> ejabberd at jabber.ru
> http://lists.jabber.ru/mailman/listinfo/ejabberd
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.jabber.ru/pipermail/ejabberd/attachments/20211018/7330b8ad/attachment-0001.htm>


More information about the ejabberd mailing list