HEADS UP: DST Root CA X3 Expiration (September 2021)

VioletDragon

@jegr Firefox seems to handle it differently. I've noticed that it only happens when signed into a Firefox account so not sure if the account saves the cache but it's a strange one.

marcosm

The browsers / Windows have their own trusted root CAs. I expect that once the old ones expire/get removed/revoked from those built-in stores, the new chain will take precedence and show correctly.

sergio.londono

for testing while the SSL expire, We did:

Delete the expiring Root CA from the client browser.

Then, Open private browser:

VioletDragon

@sergio-londono That's solved the problem, Cheers :)

maverick_slo

Hi all.
We use pfsense 2.4.4 version.
I did all the steps and all looks ok.

However reading about openssl, will acme (or any other thing) have issues when renewing certs? Like acme accessing le api which use le cert naturally?

If so, is there a way to fix it as we are unable to upgrade.

Thanks.

VioletDragon

@maverick_slo why such a old version of pfsense? I would recommend updating.

johnpoz

@violetdragon said in HEADS UP: DST Root CA X3 Expiration (September 2021):

I would recommend updating.

While I would too - but I also have some units still on 2.4.4p3 - covid being the reason, with nobody on site.. And I can not go in - can not risk it. They might have to stay on that version until things really get back to normal. And I can be onside for update, and other remote sites have people there that can be my smart hands if things go belly up. Things normally go fine - but just not something can risk at this time. Maybe he is in the same sort of boat.. I hope he meant p3, this was the latest version before covid became a factor..

VioletDragon

@johnpoz that makes sense. I have worked with people that neglects updating or just too lazy to do updates. Certs should be fine providing you have done the fix in this thread. Openssl has been updated since. You can try doing a dry run to see if it fetched a fake Cert if it does then you will be fine until you can update.

johnpoz

@violetdragon I hear ya - you should always be current completely agree 110% Its kind of eating at me that they are not current ;)

But these are different times for sure.. Before this I would of pulled the trigger on a sunday evening from home on the update, even if version just came out on saturday ;) Because I knew I could just go in bit early monday if it went belly up..

So I am currently more willing to give some people slack on the update.. But yeah stay current I am with ya.

VioletDragon

Just thought i'd put this out there, you can verify your SSL Cert by using the following.

Tests using TLS 1.3
openssl s_client -connect yourdomain.com:443 -tls1_3  

Tests using TLS 1.2
openssl s_client -connect yourdomain.com:443 -tls1_2 

maverick_slo

My certs are fine
My question was actually if acme will have issues obtaining NEW certs from today onwards.

Gertjan

@maverick_slo

Noop.
Letenscrypt uses the new intermediate and root certificate to sign yours.
'We' have to do ... nothing.

jimp

@maverick_slo said in HEADS UP: DST Root CA X3 Expiration (September 2021):

My certs are fine
My question was actually if acme will have issues obtaining NEW certs from today onwards.

As long as the ACME package is renewing certs with ACME v2 you're fine. Not all of the older versions of the ACME package support that, but if that was a problem, it would have been failing for the last few months already. That's unrelated to this intermediate expiring.

I've even copied (edited) ACME package files from a current package version back to a 2.3.x install and it renewed a cert fine there with ACME v2 and got the correct intermediate after I cleared out the old one.

JeGr

@maverick_slo said in HEADS UP: DST Root CA X3 Expiration (September 2021):

My question was actually if acme will have issues obtaining NEW certs from today onwards.

Acme didn't have problems in the first place. It assigned new Intermediates back like at the start of the year as the revocation was known well in advance. I have systems I haven't touched in over a year that run completely autonomous with acme.sh or certbot (or other LE clients) without a hitch. It's only when local certificate stores or wrong CA chains from the OS etc. mixed with "unable to (auto) update thing" come into play that things go wrong ;)

Flemmingss

@jimp

This one worked for me
Now iOS devices get valid certificates

mcury

It seems that this problem is affecting Plex.. It appears to be solved now, but some old devices won't be able to connect through secure connections anymore..

https://forums.plex.tv/t/important-information-about-plex-for-smart-tvs-after-september-30-2021/746506

DaddyGo

@mcury said in HEADS UP: DST Root CA X3 Expiration (September 2021):

It seems that this problem is affecting Plex..

Nope, not only Bro., it also affected our NextCloud servers too

PS:

(Are you all right?
if you have time, we could talk this weekend, long time since I heard the new news from BR)

mcury

Oh, didn't know about NextCloud servers..

I'm all right, thanks for asking, and how about you?

I'll be traveling to Buzios/RJ this weekend, going to the beach hehe
I'll be back on Sunday night, I'll send you a message to give you some news about here, hope everything is better for you guys there in Portugal too =)

VioletDragon

@daddygo How exactly do you have SSL Configured on NextCloud? on the Server itself using Acme or Lets Encrypt or with Haproxy? It was only the SSL Certs that were affected on pfSense but for Postfix and Dovecot Certs are all fine thats with Certbot.

jimp

This thread was only for the expiring CA from Let's Encrypt with the ACME package. It is not for issues accessing things as a client.

If you are using outdated versions of pfSense or other clients without a current set of up-to-date root certificates, read and post in one of the existing threads in the General pfSense Questions category for that specific use case.