SSL issues since yesterday

V

ViAdCk

Verified User
Joined
Feb 14, 2005
Messages
254
Hello,

Since yesterday some of our clients are having issues with their scripts connecting through ssl or when trying to connect to a mail server with tls.

For example, one client uses a specific plugin with wordpress that uses curl and is giving the following error:

Code: 
*** QuickLaTeX cannot compile formula:
5+5=10

*** Error message:
Cannot connect to QuickLaTeX server: cURL error 60: SSL certificate problem: certificate has expired
Please make sure your server/PHP settings allow HTTP requests to external resources (“allow_url_fopen”, etc.)

Another customer on another server is having the following issue when trying to connect to the local smtp server with tls:

Code: 
2021-10-01 15:47:56 Connection failed. Error #2: stream_socket_enable_crypto(): SSL operation failed with code 1. OpenSSL Error messages:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
SMTP Error: Could not connect to SMTP host.

Any idea what should be done on the server level to make this work again?

Regards!
 
Scroll and read topic also reply's from DA and links to LE

Windows 7 chrome let’s encrypt problems

For last 24 hours, I have started receiving complaints from several clients. After analyzing, I found that PCs which are having Windows 7 and latest Google Chrome, they are getting errors "Certificate error". Chrome is fully updated: Version 94.0.4606.61 (Official Build) (64-bit) Why is this...
forum.directadmin.com forum.directadmin.com
 
On both these servers I have done/checked the following:

- yum update openssl -> latest version
- yum update ca-certificates -> latest version
- Installed the latest letsencrypt version from custombuild

But the issue persists. Any ideas?

Regards
 
Yes I have reinstalled the certificate for the hostname.

What exactly do you sugget to check at digicert.com? I checked the hostname and all checks are OK in green.
 
ViAdCk said:
But the issue persists. Any ideas?

Regards
Click to expand...
Did you read ?

Windows 7 chrome let’s encrypt problems

Check chain with https://www.digicert.com/help/ Is it okay?
forum.directadmin.com forum.directadmin.com

The RED part in quote is DA Supports..

Upgrading letsencrypt v2.0.23 package via the custombuild can allow some moderately old systems to connect to DA which currently fails to do so. New systems works fine with or without this upgrade. For extremely old systems there is nothing that can be done (except upgrading them).
Click to expand...
 
ViAdCk said:
Both are coudlinux7 servers, hardly "an extremely old system".
Click to expand...
I did point out more in my writing there the part yes no good idea to remove x3 or use the LE workarround.

Also if YOUR cloudlinux7 don't have this then check how you can upgrade them, while with some other systems as old windows android they can't be upgraded.

So the clients need upgrades (read so put the newer ca root in those systems i guess , and have apps using old updated also pointing to the new paths / ca certs) , only for thos who can't and way to old there should be problems not working att all

Centos7 https://community.letsencrypt.org/t...t-compatibility-after-new-chain/151969?page=2
 
Last edited:
The problem is that curl still uses this old root certificate. I have recompiled curl but it doesn't appear to be working.

Maybe it's possible manually remove this expired root certificate from curl?
 
Please read the whole link text topics while for curll and other also some solutions in it

As example Python:
just want to mention that system applications should be fine but if you deployed a custom Python application which uses requests in a virtualenv your ca-bundle will be provided by certifi and they still provide the expired certificate.
So if your Python application makes outgoing requests and tries to verify the TLS certificate you should pass the path to the system-wide CA bundle.
Good info, @FelixSchwarz! One easy way to do this should be to set the REQUESTS_CA_BUNDLE environment variable.
Click to expand...
On a whim I thought that the package didn't update the extract when it was installed so I ran this manually:
update-ca-trust extract
And now everything is working as expected.
Great that this resolved the issue for you. However, as one should expect, haven't seen anywhere on new or existing CentOS 7 boxes that this was needed after updating ca-certificates.
If you look at the output of rpm -q --scripts ca-certificates you can see that running update-ca-trust is already managed by the package itself.
Just wanting to clarify in this thread that it is ordinarily not required to run update-ca-trust extract after updating.
Click to expand...
 
ikkeben said:
Please read the whole link text topics while for curll and other also some solutions in it

As example Python:
Click to expand...
I have read the whole link.

This client has a wordpress website with a plugin that worked perfectly until yesterday. This client doesn't have the knowledge to make these changes and asks this to work at the server level, just as it worked until yesterday.

I'm contacting cloudlinux support to check if they have some suggestions.
 
ViAdCk said:
This client has a wordpress website with a plugin that worked perfectly until yesterday. This client doesn't have the knowledge to make these changes and asks this to work at the server level, just as it worked until yesterday.

I'm contacting cloudlinux support to check if they have some suggestions.
Click to expand...
UH yes we have also older APPS using for example smtp (ssl/tls) to old, whe did abonded them.

So normally it is a client side problem where some needed work and updates, sometimes then also on server to handle some APPS / PLUGINS correct.
 
You must log in or register to reply here.
Back
Top