Hi, On Tue, 21 Nov 2017 at 11:57:10 +0100, Dennis Roczek wrote: > We just got a new wiki-certificate from Let's encrypt. Maybe they > changed something fundamental...?
The cert was last renewed 2 weeks ago, if there was a problem with the X.509 chain I guess someone would have complained before :-P $ openssl s_client -connect wiki.documentfoundation.org:443 -servername wiki.documentfoundation.org </dev/null 2>/dev/null \ | openssl x509 -noout -dates notBefore=Nov 4 02:07:05 2017 GMT notAfter=Feb 2 02:07:05 2018 GMT > @Guilhem: do you know more about changes there? I noticed the OSCP responsed stapled to the TLS handshake was out of date since this morning at 03:00 UTC. $ openssl s_client -connect wiki.documentfoundation.org:443 -servername wiki.documentfoundation.org -status </dev/null 2>/dev/null […] OCSP Response Data: OCSP Response Status: successful (0x0) Response Type: Basic OCSP Response Version: 1 (0x0) Responder Id: C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3 Produced At: Nov 14 03:08:00 2017 GMT Responses: Certificate ID: Hash Algorithm: sha1 Issuer Name Hash: 7EE66AE7729AB3FCF8A220646C16A12D6071085D Issuer Key Hash: A84A6A63047DDDBAE6D139B7A64565EFF3A8ECA1 Serial Number: 03686441D74F5FFBC5CF4FDD4504FBFA9DDA Cert Status: good This Update: Nov 14 03:00:00 2017 GMT Next Update: Nov 21 03:00:00 2017 GMT […] Apparently nginx kept querying the OCSP responder but all requests timed out so the stapled data wasn't refreshed. That's weird, AFAIK nginx only caches DNS responses for the zone TTL, but we got a valid response after reloading the server: $ openssl s_client -connect wiki.documentfoundation.org:443 -servername wiki.documentfoundation.org -status </dev/null 2>/dev/null […] OCSP Response Data: OCSP Response Status: successful (0x0) Response Type: Basic OCSP Response Version: 1 (0x0) Responder Id: C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3 Produced At: Nov 19 03:11:00 2017 GMT Responses: Certificate ID: Hash Algorithm: sha1 Issuer Name Hash: 7EE66AE7729AB3FCF8A220646C16A12D6071085D Issuer Key Hash: A84A6A63047DDDBAE6D139B7A64565EFF3A8ECA1 Serial Number: 0324F7EDB9BE813D301B509273649D7E7614 Cert Status: good This Update: Nov 19 03:00:00 2017 GMT Next Update: Nov 26 03:00:00 2017 GMT […] I assume not all browsers were affected because some fallback to quering the OCSP responder manually when the stapled information is out of date. Cheers, -- Guilhem. -- To unsubscribe e-mail to: website+unsubscr...@global.libreoffice.org Problems? https://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/ Posting guidelines + more: https://wiki.documentfoundation.org/Netiquette List archive: https://listarchives.libreoffice.org/global/website/ All messages sent to this list will be publicly archived and cannot be deleted