Hello! benoit-li...@fb12.de (Sebastian Benoit), 2021.09.30 (Thu) 21:42 (CEST): > Chris Bennett(cpb_m...@bennettconstruction.us) on 2021.09.30 10:02:17 -0700: > > I'm getting that the certs are expired, but https works fine in Firefox, > > including when looking at the full chain. > > openssl s_client -servername mail.strengthcouragewisdom.rocks -connect > > mail.strengthcouragewisdom.rocks:https > > This is an issue with an expired root/intermediate certificate (DST Root X3) > in use by Let's Encrypt. > > Stuart Henderson (sthen@) summarized it like this: > > LibreSSL in OpenBSD 6.9/earlier is having problems with the expiry of a > CA certificate used to cross-sign Let's Encrypt certs. > > LE decided not to switch to using their own root fully, rather they > are continuing to use the expired cross-signer to increase compatibility > with old Android devices, which is tickling this problem. > https://letsencrypt.org/2020/12/21/extending-android-compatibility.html > > An errata has just been published, you can install it using syspatch.
I've syspatch(8)-ed a machine that now delivers the following error: $ ftp -VMo /dev/null \ "https://shop.theater-phoenix.at/Events.aspx?msg=0&ret=1" TLS handshake failure: certificate verification failed: unable to get local issuer certificate $ openssl s_client -servername shop.theater-phoenix.at -connect \ shop.theater-phoenix.at:https Verify return code: 21 (unable to verify the first certificate) The server "shop.theater-phoenix.at" runs under Windows and uses letsencrypt certificates. Does this issue have the same root cause or is this something different? Marcus