1. Forum
  2. DOVE-Net
  3. General

  • LetsEncrypt

    From Brian Rogers@VERT/CARNAGE to All on Friday, October 01, 2021 18:28:00
    Anyone who had issues with certs signed by Let's Encrypt may have noticed issues. They had a major "oops" by not renewing their own certs which made
    all other certs under them appear expired.

    https://www.yahoo.com/news/internet-goes-down-millions-tech-021400230.html

    I know on iPhones, email accounts that use servers who have certs signed
    by Let's Encrypt have issues. I'm not an Apple person but if anyone knows
    how to force an update of the cert without having to recreate an email
    account I'd love to hear from you.



    ... Old bookkeepers never die, they just lose their figures.
    --- MultiMail/Linux v0.52
    þ Synchronet þ SBBS - Carnage! Hartford, Ct bbs.n1uro.com:2300
  • From Arelor@VERT/PALANT to Brian Rogers on Sunday, October 03, 2021 04:00:13
    Re: LetsEncrypt
    By: Brian Rogers to All on Fri Oct 01 2021 06:28 pm

    Anyone who had issues with certs signed by Let's Encrypt may have noticed issues. They had a maj
    "oops" by not renewing their own certs which made
    all other certs under them appear expired.

    https://www.yahoo.com/news/internet-goes-down-millions-tech-021400230.html

    I know on iPhones, email accounts that use servers who have certs signed
    by Let's Encrypt have issues. I'm not an Apple person but if anyone knows how to force an update of the cert without having to recreate an email account I'd love to hear from you.



    ... Old bookkeepers never die, they just lose their figures.

    Actually, for the sake of completition, what happened is that, before they were popular, Let's
    Encrypt got their own certificate signed by a trusted CA (one of those which is trusted by most
    Operating Systems). Let's Encrypt eventually became popular enough that their own certificate
    became widely trusted with the years, but the old signature was kept in the trust chain for legacy
    reasons.

    When the certificate from the third party CA expired, old Operating Systems which:

    * Don't have the Let's Encrypt now widely trusted certificate installed
    * or do bogus certificate verification, because they try to verify Let's Encrypt's certificate
    against the expired cert even if the Let's Encrypt one is stored as trusted

    will fail to verify any legit Let's Encrypt cert.

    It is unfortunate, but it is a problem with the SSL/TLS clients, really.

    If your Operating System is not junk you may be able to remove the expired certificate from DST and
    install the Let's Encrypt one. If you can't do that then I am afraid your Operating System is junk
    and you should put it in /dev/null.


    --
    gopher://gopher.richardfalken.com/1/richardfalken

    ---
    þ Synchronet þ Palantir BBS * palantirbbs.ddns.net * Pensacola, FL
  • From Brian Rogers@VERT/CARNAGE to Arelor on Sunday, October 03, 2021 14:28:00
    Hello Arelor;

    Arelor wrote to Brian Rogers <=-

    Actually, for the sake of completition, what happened is that, before
    they were popular, Let's Encrypt got their own certificate signed by a trusted CA (one of those which is trusted by most Operating Systems). Let's Encrypt eventually became popular enough that their own
    certificate became widely trusted with the years, but the old signature was kept in the trust chain for legacy reasons.

    If you read the link I posted, it explained this :) There was no need for me
    to repeat what was published.

    If your Operating System is not junk you may be able to remove the
    expired certificate from DST and install the Let's Encrypt one. If you can't do that then I am afraid your Operating System is junk and you should put it in /dev/null.

    That's taking it a bit extreme. Your basically saying some slightly older mobile device operating systems should get trashed. This really isn't a feasible solution. iOS 14 for example (even iOS 12 which is still in use and maintained) don't recognize the LE certs still. One needs to manually import them and they'll take fine. I know because of some of the spyware Apple has included in iOS 15 some aren't upgrading it for that reason, so it's 6 of one half dozen of the other.


    ... VALUABLE STORE COUPON HAS BEEN REMOVED!
    --- MultiMail/Linux v0.52
    þ Synchronet þ SBBS - Carnage! Hartford, Ct bbs.n1uro.com:2300
  • From Arelor@VERT/PALANT to Brian Rogers on Monday, October 04, 2021 12:33:50
    Re: Re: LetsEncrypt
    By: Brian Rogers to Arelor on Sun Oct 03 2021 02:28 pm

    That's taking it a bit extreme. Your basically saying some slightly older mobile device operating syst
    should get trashed. This really isn't a feasible solution. iOS 14 for example (even iOS 12 which is st

    I suspect I am turning into Theo de Raadt, but from the very bottom of my heart: if you cannot modify the
    CA store of a device in order to replace expired trust chains, the device belongs to /dev/null.

    --
    gopher://gopher.richardfalken.com/1/richardfalken

    ---
    þ Synchronet þ Palantir BBS * palantirbbs.ddns.net * Pensacola, FL
  • From Brian Rogers@VERT/CARNAGE to Arelor on Tuesday, October 05, 2021 10:05:00
    Hello Arelor;

    Arelor wrote to Brian Rogers <=-

    I suspect I am turning into Theo de Raadt, but from the very bottom of
    my heart: if you cannot modify the CA store of a device in order to replace expired trust chains, the device belongs to /dev/null.

    I'm not an apple person so it was a matter of learning how to import the
    certs manually since Apple wouldn't just do it. Droids didn't have such an issue.

    ... "He's crazier than I am." - Klinger on Burns. "He's a major." - Radar
    --- MultiMail/Linux v0.52
    þ Synchronet þ SBBS - Carnage! Hartford, Ct bbs.n1uro.com:2300