On 2021-11-12 at 13:34:46 UTC-0500 (Fri, 12 Nov 2021 10:34:46 -0800) Randall Gellens <mailmate@lists.freron.com> is rumored to have said:
I just tried to check for an update but received the error "SSL certificate problem: certificate has expired", which might explain why I wasn't aware there was anything newer.
That's probably a consequence of the recent expiration of the root CA cert ("DST Root CA X3") on a secondary validation path for Let's Encrypt certificates. Sites serve the full trust chain of certs needed for all of their trust paths except for the root to all clients and many are still serving both the valid trust path and the one that relies on an expired root. There's actually no consensus on whether server and intermediate certs that were issued when a CA cert was valid should be considered invalid when the CA expires but the issued cert is still nominally valid.
The fixes for that base problem vary between systems and can be confusing because an app can use the OS's security layer and its keychains of trusted CA certs or the Apple-distributed antique OpenSSL with a PEM bundle of CA certs in /etc/ssl/cert.pem or the MacPorts OpenSSL with the 'curl-ca-bundle' package that puts a link at /opt/local/etc/openssl/cert.pem which points to /opt/local/share/curl/curl-ca-bundle.crt. Or if you use Homebrew, you might have something in /usr/local/etc. Some apps may even bundle their own SSL libraries to do self-updates. I'm pretty sure MM just uses the system facilities, but if you have similar problems with other tools
If Keychain Access will let you do so, you should remove "DST Root CA X3" from your System Roots keychain. On recent systems with SPI enabled, you can't do that so you can work around the problem by changing its Trust Settings to "Always Trust." You also should check your keychains for multiple versions of the "ISRG Root X1" certificate, which SHOULD be a self-signed root CA cert in SystemRoots. However, you may also have another version in the System or login keychains which is NOT actually a root CA cert but rather is issued by that expired root CA cert. If you do have one of those, they need to go. If you are unable to remove non-root versions of the "ISRG Root X1" cert or do not have the root version in SystemRoots, you can get the current version from http://x1.i.lencr.org/ and import it into your System keychain. (imports into SystemRoots don't work.)
Ideally, the fix is server-side. Servers like updates.mailmate-app.com should be reconfigured to send only the server certificate and its immediate issuer cert as the server's trust chain, NOT including the version of "ISRG Root X1" which is signed by the expired cert. That would break a DIFFERENT subset of older clients (which don't trust the ISRG root by default) which is probably why even Let's Encrypt's own servers are still sending the quasi-bogus cert.
-- Bill Cole b...@scconsult.com or billc...@apache.org (AKA @grumpybozo and many *@billmail.scconsult.com addresses) Not Currently Available For Hire _______________________________________________ mailmate mailing list mailmate@lists.freron.com https://lists.freron.com/listinfo/mailmate
