It's been a few months since I last checked in on my nntp
account with eternal-september, but TB is reporting that there
is a certif problem:

https://susepaste.org/24549546

It seems to look fine in the sense that the dates are still
good.

But is there a way to update the certif and be able to log in?

--- OpenXP 5.0.50
* Origin: Ogg's Dovenet Point (723:320/1.9)
� Synchronet � CAPCITY2 * capcity2.synchro.net * Telnet/SSH:2022/Rlogin/HTTP

Re: let's encrypt certif problem
By: Ogg to All on Mon Oct 11 2021 08:30 pm

> It's been a few months since I last checked in on my nntp
> account with eternal-september, but TB is reporting that there
> is a certif problem:
>
> https://susepaste.org/24549546
>
> It seems to look fine in the sense that the dates are still
> good.
>
> But is there a way to update the certif and be able to log in?

why dont you talk to their support and ask them.
---
■ Synchronet ■ ::: BBSES.info - free BBS services :::

Re: let's encrypt certif problem
By: Ogg to All on Mon Oct 11 2021 08:30 pm

> It's been a few months since I last checked in on my nntp
> account with eternal-september, but TB is reporting that there
> is a certif problem:
>
> https://susepaste.org/24549546
>
> It seems to look fine in the sense that the dates are still
> good.
>
> But is there a way to update the certif and be able to log in?

Most likely this is due to the fact one of Let's Encrypt's certifiers has an expired cert.

Maybe you can remove DST X3 from your trust chain (since it is expired) and add the self signed
let's encrypt certificate from here:

https://letsencrypt.org/certificates/

More information about the issue here:

https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/

--
gopher://gopher.richardfalken.com/1/richardfalken

---
■ Synchronet ■ Palantir BBS * palantirbbs.ddns.net * Pensacola, FL

Hello Arelor!

** On Tuesday 12.10.21 - 08:02, Arelor wrote to Ogg:

A> Maybe you can remove DST X3 from your trust chain (since it is expired)
A> and add the self signed let's encrypt certificate from here:

A> https://letsencrypt.org/certificates/

A> More information about the issue here:

A> https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/

The info and reason is all good, but I need a step-by-step
intruction on how to work with certifs. I downloaded what I
though was a required replacement/updated certif [Cross-signed
by DST Root CA X3] from one of the above links, but it prompted
me for a password to proceed with the installation.

Meanwhile, I learned that OpenXP doesn't care about any
certifs, and I can fetch my eternal-september messages with
that. I don't need to use TB at all. But it wold be nice to
fix the certif problem.

--- OpenXP 5.0.50
* Origin: Ogg's Dovenet Point (723:320/1.9)
� Synchronet � CAPCITY2 * capcity2.synchro.net * Telnet/SSH:2022/Rlogin/HTTP

Re: let's encrypt certif problem
By: Ogg to Arelor on Fri Oct 15 2021 10:16 pm

> The info and reason is all good, but I need a step-by-step
> intruction on how to work with certifs. I downloaded what I
> though was a required replacement/updated certif [Cross-signed
> by DST Root CA X3] from one of the above links, but it prompted
> me for a password to proceed with the installation.
>
> Meanwhile, I learned that OpenXP doesn't care about any
> certifs, and I can fetch my eternal-september messages with
> that. I don't need to use TB at all. But it wold be nice to
> fix the certif problem.

You need the self-signed certificate, not the cross-signed one, since the
cross-signed one is using an old, expired trust chain.

I am sure there are ten thousand guides floating around the internet regarding
certificate updateing. Most Linux and BSDs around got the problem fixed via a
regular update.

--
gopher://gopher.richardfalken.com/1/richardfalken

---
■ Synchronet ■ Palantir BBS * palantirbbs.ddns.net * Pensacola, FL

Hello Arelor!

** On Saturday 16.10.21 - 06:31, Arelor wrote to Ogg:

A> You need the self-signed certificate, not the cross-signed
A> one, since the cross-signed one is using an old, expired
A> trust chain.

I installed both self0signed ones, and I did that in XP and TB.

Still doesn't work.

A> I am sure there are ten thousand guides floating around the internet
A> regarding certificate updateing. Most Linux and BSDs around got the
A> problem fixed via a regular update.

I know how to go through the "install certif" process in XP and
TB. But, these marked "==>" are not making any difference:

Active

ISRG Root X1 (RSA 4096, O = Internet Security Research Group, CN = ISRG Root X1)
==> Self-signed: der, pem, txt

Active, limited availability

ISRG Root X2 (ECDSA P-384, O = Internet Security Research Group, CN = ISRG Root X2)
==> Self-signed: der, pem, txt

--- OpenXP 5.0.50
* Origin: Ogg's Dovenet Point (723:320/1.9)
� Synchronet � CAPCITY2 * capcity2.synchro.net * Telnet/SSH:2022/Rlogin/HTTP

Re: let's encrypt certif problem
By: Ogg to Arelor on Sat Oct 16 2021 07:51 pm

> Hello Arelor!
>
> ** On Saturday 16.10.21 - 06:31, Arelor wrote to Ogg:
>
> A> You need the self-signed certificate, not the cross-signed
> A> one, since the cross-signed one is using an old, expired
> A> trust chain.
>
>
> I installed both self0signed ones, and I did that in XP and TB.
>
> Still doesn't work.
>
>
> A> I am sure there are ten thousand guides floating around the internet
> A> regarding certificate updateing. Most Linux and BSDs around got the
> A> problem fixed via a regular update.
>
> I know how to go through the "install certif" process in XP and
> TB. But, these marked "==>" are not making any difference:
>
> Active
>
> ISRG Root X1 (RSA 4096, O = Internet Security Research Group, CN = ISRG
> Root X1)
> ==> Self-signed: der, pem, txt
>
> Active, limited availability
>
> ISRG Root X2 (ECDSA P-384, O = Internet Security Research Group, CN = IS
> Root X2)
> ==> Self-signed: der, pem, txt

You also have to manually remove the expired DST X3 one.

--
gopher://gopher.richardfalken.com/1/richardfalken

---
■ Synchronet ■ Palantir BBS * palantirbbs.ddns.net * Pensacola, FL

Hello Arelor!

** On Saturday 16.10.21 - 06:31, Arelor wrote to Ogg:

A> You need the self-signed certificate, not the cross-signed
A> one, since the cross-signed one is using an old, expired
A> trust chain.

Just a little followup.. I tried their "test" links below:

ISRG Root X1
Valid <== this one worked OK
Revoked <== this one loaded properly with "revoked"
Expired <== this wouldn't load.

ISRG Root X2
Valid <== this one worked OK
Revoked <== this one loaded with a "revoked" page.
Expired <== this one wouldn't load.

So.. the certifs are probably installed fine in system/browser
program?

Now, only TB's mail system is still complaining about
invalidity. :(

--- OpenXP 5.0.50
* Origin: Ogg's Dovenet Point (723:320/1.9)
� Synchronet � CAPCITY2 * capcity2.synchro.net * Telnet/SSH:2022/Rlogin/HTTP

Re: let's encrypt certif problem
By: Ogg to Arelor on Sun Oct 17 2021 08:51 am

> Hello Arelor!
>
> ** On Saturday 16.10.21 - 06:31, Arelor wrote to Ogg:
>
> A> You need the self-signed certificate, not the cross-signed
> A> one, since the cross-signed one is using an old, expired
> A> trust chain.
>
> Just a little followup.. I tried their "test" links below:
>
> ISRG Root X1
> Valid <== this one worked OK
> Revoked <== this one loaded properly with "revoked"
> Expired <== this wouldn't load.
>
> ISRG Root X2
> Valid <== this one worked OK
> Revoked <== this one loaded with a "revoked" page.
> Expired <== this one wouldn't load.
>
>
> So.. the certifs are probably installed fine in system/browser
> program?
>
> Now, only TB's mail system is still complaining about
> invalidity. :(

Thunderbird and Firefox have their own certificate databases. They don't use
the system's.

--
gopher://gopher.richardfalken.com/1/richardfalken

---
■ Synchronet ■ Palantir BBS * palantirbbs.ddns.net * Pensacola, FL

Hello Arelor!

** On Sunday 17.10.21 - 05:55, Arelor wrote to Ogg:

A> You also have to manually remove the expired DST X3 one.

Ah.. That I haven't done.

But I didn't see any "LetsEncrypt" certifs in the list of
certifs.

--- OpenXP 5.0.50
* Origin: Ogg's Dovenet Point (723:320/1.9)
� Synchronet � CAPCITY2 * capcity2.synchro.net * Telnet/SSH:2022/Rlogin/HTTP

Re: let's encrypt certif problem
By: Ogg to Arelor on Mon Oct 18 2021 07:35 pm

> Hello Arelor!
>
> ** On Sunday 17.10.21 - 05:55, Arelor wrote to Ogg:
>
> A> You also have to manually remove the expired DST X3 one.
>
>
> Ah.. That I haven't done.
>
> But I didn't see any "LetsEncrypt" certifs in the list of
> certifs.

Because it is not a Let's Encrypt certificate. It is an Internet Security
Research Group certificate. Internet Security Research Group are the owners of
Let's Encrypt.

--
gopher://gopher.richardfalken.com/1/richardfalken

---
■ Synchronet ■ Palantir BBS * palantirbbs.ddns.net * Pensacola, FL