1. Forum
  2. Usenet
  3. COMP.MISC

  • Letsencrypt cert server fail?

    From Mike Spencer@21:1/5 to All on Sat Oct 2 02:26:23 2021
    Is Letsencrypt having a problem or is this something I don't
    understand? (Lots of things, including the whole cert mechanism, I
    don't understand.)

    Numerous web sites failing to connect 1-2 Oct. 2021

    Browser (Seamonkey) reports:

    sec_error_expired_issuer_certificate

    wget --no-check-certificate reports:

    WARNING: cannot verify [DOMAIN_NAME]'s certificate, issued by
    'CN=R3,O=Let\'s Encrypt,C=US':
    Issued certificate has expired.


    Sites that fail are themselves okay because the wget command succeeds
    with --no-check-certificate.

    Not all sites fail.

    Example sites that fail:

    slashdot.org
    soylentnews.org
    www.schneier.com
    nymag.com

    Example sites that DO NOT fail

    google.com
    www.nhc.noaa.gov
    topics.nytimes.com
    xkcd.com

    Using Linux, Seamonkey 2.40 but another user has had same problem,
    same date Oct 1, using Windows.

    --
    Mike Spencer Nova Scotia, Canada

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Andy Burns@21:1/5 to Mike Spencer on Sat Oct 2 07:52:25 2021
    Mike Spencer wrote:

    Using Linux, Seamonkey 2.40 but another user has had same problem,
    same date Oct 1, using Windows.
    Import the "ISRG Root X1" into seamonkey's certificate store under authorities?

    <https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021>

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Andy Burns@21:1/5 to Mike Spencer on Sat Oct 2 09:02:11 2021
    Mike Spencer wrote:

    Andy Burns wrote:

    Mike Spencer wrote:

    Using Linux, Seamonkey 2.40 but another user has had same problem,
    same date Oct 1, using Windows.

    <https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021>

    Yes, after posting, I eventually found that with some bother.
    With Linux, there's a workaround but it's a tedious PITA.

    Import the "ISRG Root X1" into seamonkey's certificate store under
    authorities?

    I don't know how to do that but I'll try to find out directly.

    I'm sure you'll figure it, but use wget or curl or something to grab the cert file from

    https://letsencrypt.org/certs/isrgrootx1.der

    it's also available as a .pem if you have a reason to prefer that.

    Then (and this is where, as a TB/FF user, I have to assume that SM is broadly similar) Tools/Settings/Security/Certificates, select Authorities, click import and select the file you just downloaded.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Mike Spencer@21:1/5 to Andy Burns on Sat Oct 2 04:25:37 2021
    Andy Burns <[email protected]> writes:

    Mike Spencer wrote:

    Using Linux, Seamonkey 2.40 but another user has had same problem,
    same date Oct 1, using Windows.

    <https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021>

    Yes, after posting, I eventually found that with some bother.
    With Linux, there's a workaround but it's a tedious PITA.

    Import the "ISRG Root X1" into seamonkey's certificate store under authorities?

    I don't know how to do that but I'll try to find out directly.



    Thank you very much.

    --
    Mike Spencer Nova Scotia, Canada

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Mike Spencer@21:1/5 to Andy Burns on Sun Oct 3 17:03:18 2021
    Andy Burns <[email protected]> writes:

    Mike Spencer wrote:

    Andy Burns wrote:

    Mike Spencer wrote:

    Using Linux, Seamonkey 2.40 but another user has had same problem,
    same date Oct 1, using Windows.

    <https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021>

    Import the "ISRG Root X1" into seamonkey's certificate store under
    authorities?

    I don't know how to do that but I'll try to find out directly.

    I'm sure you'll figure it, but use wget or curl or something to grab
    the cert file from

    https://letsencrypt.org/certs/isrgrootx1.der

    it's also available as a .pem if you have a reason to prefer that.

    Good. Thank you. Did figure it out. Seamonkey appears to be working
    as expected with sites using ISRG certs.

    Then (and this is where, as a TB/FF user, I have to assume that SM
    is broadly similar) Tools/Settings/Security/Certificates, select
    Authorities, click import and select the file you just downloaded.

    Just so. Worked as intended. Next up: Try same for SM on Windows box
    of SWMBO.

    Digressing only slightly: Despite lots of (admittedly amateur) messing
    about with assembler, C, Perl etc. from CP/M days into Linux and
    TCP/IP, tech gets increasingly complex (in the technical as well as
    the colloquial sense) and I've been getting old almost as fast since,
    say, I first read K&R.

    I'm not nearly as smart or as knowledgeable as Dan Geer but I'm
    inclined to agree with him.

    I am getting older, and I have to allow for the fact that perhaps that
    explains everything, though I don't think so. I am, as a rule,
    skeptical of coming to rely upon things that I don't know how they
    work. If there's anything that I've come to be relatively adamant
    about is that, as humans, we have repeatedly demonstrated that we can
    quite clearly build things more complex than we can then manage, our
    friends in finance and flash crashes being a fine example of that.

    Given what I know in the cyber security arena, the number of things
    that, in effect, nobody understands how they work causes me to say,
    well, then why do I want to depend on it?

    I understand basic concepts such as how PKC works in principle but the
    whole HTTPS/PKC/certificate/digital-sig as a ball of wax remains
    mostly a black box. Pop-up windows asking me to choose between or
    approve things I don't understand are particularly intimidating. So
    I'm hesitant to "just 'import' $FILE that comes from $SITE into $HUGE_COMPLICATED_APP and click 'OK'" when I don't understand most of
    the pieces involved in doing that.

    Well, in any case, I did that and all appears to be well.

    I need a nice lucid book that explains this stuff, more detailed than pop-culture Luser level but less so than the large congeries of
    relevant RFCs.

    Usenet saves the day when the web goes dark! TYVM,

    --
    Mike Spencer Nova Scotia, Canada

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Oregonian Haruspex@21:1/5 to All on Thu Oct 7 08:50:44 2021
    I just HATE LetsEncrypt. It’s such a pain in the ass unless you want to
    give it’s script root permissions, to update.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Bob Eager@21:1/5 to Oregonian Haruspex on Thu Oct 7 09:31:54 2021
    On Thu, 07 Oct 2021 08:50:44 +0000, Oregonian Haruspex wrote:

    I just HATE LetsEncrypt. It’s such a pain in the ass unless you want to give it’s script root permissions, to update.

    You doesn't pay yer money, and yer takes yer choice...!


    --
    Using UNIX since v6 (1975)...

    Use the BIG mirror service in the UK:
    http://www.mirrorservice.org

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Visiblink@21:1/5 to Oregonian Haruspex on Thu Oct 7 18:45:07 2021
    On Thu, 7 Oct 2021 08:50:44 -0000 (UTC)
    Oregonian Haruspex <[email protected]d> wrote:

    I just HATE LetsEncrypt. It’s such a pain in the ass unless you want
    to give it’s script root permissions, to update.

    I only use it for my XMPP server. There's no reason to use https on my
    website, and there's the added bonus that Google no longer likes it,
    since it's just plain old http.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Computer Nerd Kev@21:1/5 to Visiblink on Fri Oct 8 07:08:36 2021
    Visiblink <[email protected]d> wrote:
    On Thu, 7 Oct 2021 08:50:44 -0000 (UTC)
    Oregonian Haruspex <[email protected]d> wrote:

    I just HATE LetsEncrypt. It?s such a pain in the ass unless you want
    to give it?s script root permissions, to update.

    I only use it for my XMPP server. There's no reason to use https on my website, and there's the added bonus that Google no longer likes it,
    since it's just plain old http.

    I've got a website available over HTTP or HTTPS (using Let's
    Encrypt, and no I can't say that I've mastered it either) and
    google still includes page links to it with HTTP links instead of
    HTTPS. If they really cared then it would be easy to make their
    crawler check whether the same content was available over HTTPS.

    Google still puts such HTTP links in first page results too, eg.
    fifth result for a fairly non-specific search, so I think the
    result de-ranking threats are a lot of hot air as well.

    --
    __ __
    #_ < |\| |< _#

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)