Is Letsencrypt having a problem or is this something I don't
understand? (Lots of things, including the whole cert mechanism, I
don't understand.)

Numerous web sites failing to connect 1-2 Oct. 2021

Browser (Seamonkey) reports:

sec_error_expired_issuer_certificate

wget --no-check-certificate reports:

WARNING: cannot verify [DOMAIN_NAME]'s certificate, issued by
'CN=R3,O=Let\'s Encrypt,C=US':
Issued certificate has expired.

Sites that fail are themselves okay because the wget command succeeds
with --no-check-certificate.

Not all sites fail.

Example sites that fail:

slashdot.org
soylentnews.org
www.schneier.com
nymag.com

Example sites that DO NOT fail

google.com
www.nhc.noaa.gov
topics.nytimes.com
xkcd.com

Using Linux, Seamonkey 2.40 but another user has had same problem,
same date Oct 1, using Windows.

--
Mike Spencer Nova Scotia, Canada

Mike Spencer wrote:

> Using Linux, Seamonkey 2.40 but another user has had same problem,
> same date Oct 1, using Windows.
Import the "ISRG Root X1" into seamonkey's certificate store under authorities?

<https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021>

Andy Burns <usenet@andyburns.uk> writes:

> Mike Spencer wrote:
>
>> Using Linux, Seamonkey 2.40 but another user has had same problem,
>> same date Oct 1, using Windows.
>
> <https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021>

Yes, after posting, I eventually found that with some bother.
With Linux, there's a workaround but it's a tedious PITA.

> Import the "ISRG Root X1" into seamonkey's certificate store under
> authorities?

I don't know how to do that but I'll try to find out directly.

Thank you very much.

--
Mike Spencer Nova Scotia, Canada

Mike Spencer wrote:

> Andy Burns wrote:
>
>> Mike Spencer wrote:
>>
>>> Using Linux, Seamonkey 2.40 but another user has had same problem,
>>> same date Oct 1, using Windows.
>>
>> <https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021>
>
> Yes, after posting, I eventually found that with some bother.
> With Linux, there's a workaround but it's a tedious PITA.
>
>> Import the "ISRG Root X1" into seamonkey's certificate store under
>> authorities?
>
> I don't know how to do that but I'll try to find out directly.

I'm sure you'll figure it, but use wget or curl or something to grab the cert
file from

https://letsencrypt.org/certs/isrgrootx1.der

it's also available as a .pem if you have a reason to prefer that.

Then (and this is where, as a TB/FF user, I have to assume that SM is broadly
similar) Tools/Settings/Security/Certificates, select Authorities, click import
and select the file you just downloaded.

Andy Burns <usenet@andyburns.uk> writes:

> Mike Spencer wrote:
>
>> Andy Burns wrote:
>>
>>> Mike Spencer wrote:
>>>
>>>> Using Linux, Seamonkey 2.40 but another user has had same problem,
>>>> same date Oct 1, using Windows.
>>>
>>> <https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021>
>>
>>> Import the "ISRG Root X1" into seamonkey's certificate store under
>>> authorities?
>>
>> I don't know how to do that but I'll try to find out directly.
>
> I'm sure you'll figure it, but use wget or curl or something to grab
> the cert file from
>
> https://letsencrypt.org/certs/isrgrootx1.der
>
> it's also available as a .pem if you have a reason to prefer that.

Good. Thank you. Did figure it out. Seamonkey appears to be working
as expected with sites using ISRG certs.

> Then (and this is where, as a TB/FF user, I have to assume that SM
> is broadly similar) Tools/Settings/Security/Certificates, select
> Authorities, click import and select the file you just downloaded.

Just so. Worked as intended. Next up: Try same for SM on Windows box
of SWMBO.

Digressing only slightly: Despite lots of (admittedly amateur) messing
about with assembler, C, Perl etc. from CP/M days into Linux and
TCP/IP, tech gets increasingly complex (in the technical as well as
the colloquial sense) and I've been getting old almost as fast since,
say, I first read K&R.

I'm not nearly as smart or as knowledgeable as Dan Geer but I'm
inclined to agree with him.

I am getting older, and I have to allow for the fact that perhaps that
explains everything, though I don't think so. I am, as a rule,
skeptical of coming to rely upon things that I don't know how they
work. If there's anything that I've come to be relatively adamant
about is that, as humans, we have repeatedly demonstrated that we can
quite clearly build things more complex than we can then manage, our
friends in finance and flash crashes being a fine example of that.

Given what I know in the cyber security arena, the number of things
that, in effect, nobody understands how they work causes me to say,
well, then why do I want to depend on it?

I understand basic concepts such as how PKC works in principle but the
whole HTTPS/PKC/certificate/digital-sig as a ball of wax remains
mostly a black box. Pop-up windows asking me to choose between or
approve things I don't understand are particularly intimidating. So
I'm hesitant to "just 'import' $FILE that comes from $SITE into
$HUGE_COMPLICATED_APP and click 'OK'" when I don't understand most of
the pieces involved in doing that.

Well, in any case, I did that and all appears to be well.

I need a nice lucid book that explains this stuff, more detailed than
pop-culture Luser level but less so than the large congeries of
relevant RFCs.

Usenet saves the day when the web goes dark! TYVM,

--
Mike Spencer Nova Scotia, Canada

I just HATE LetsEncrypt. It’s such a pain in the ass unless you want to
give it’s script root permissions, to update.

On Thu, 07 Oct 2021 08:50:44 +0000, Oregonian Haruspex wrote:

> I just HATE LetsEncrypt. It’s such a pain in the ass unless you want to
> give it’s script root permissions, to update.

You doesn't pay yer money, and yer takes yer choice...!

--
Using UNIX since v6 (1975)...

Use the BIG mirror service in the UK:
http://www.mirrorservice.org

On Thu, 7 Oct 2021 08:50:44 -0000 (UTC)
Oregonian Haruspex <no_email@invalid.invalid> wrote:

> I just HATE LetsEncrypt. It’s such a pain in the ass unless you want
> to give it’s script root permissions, to update.

I only use it for my XMPP server. There's no reason to use https on my
website, and there's the added bonus that Google no longer likes it,
since it's just plain old http.

Visiblink <visiblink@mail.invalid> wrote:
> On Thu, 7 Oct 2021 08:50:44 -0000 (UTC)
> Oregonian Haruspex <no_email@invalid.invalid> wrote:
>
>> I just HATE LetsEncrypt. It?s such a pain in the ass unless you want
>> to give it?s script root permissions, to update.
>
> I only use it for my XMPP server. There's no reason to use https on my
> website, and there's the added bonus that Google no longer likes it,
> since it's just plain old http.

I've got a website available over HTTP or HTTPS (using Let's
Encrypt, and no I can't say that I've mastered it either) and
google still includes page links to it with HTTP links instead of
HTTPS. If they really cared then it would be easy to make their
crawler check whether the same content was available over HTTPS.

Google still puts such HTTP links in first page results too, eg.
fifth result for a fairly non-specific search, so I think the
result de-ranking threats are a lot of hot air as well.

--
__ __
#_ < |\| |< _#