Pages: 1
RSS
Getting 'certificate expired' message when the certificate is NOT expired., Web host confirms that their certificate is valid
 
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Moderator's note, Oct. 1st 2021: Ritlabs has addressed this issue in a statement that you can find HERE.
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=


Very suddenly, earlier today, I stopped being able to send or receive email in TheBat! I have two business domains, and this error happens on both:

"TLS handshake failure. Invalid server certificate (This certificate has expired)."

It also happens on two different computers, both with the latest Windows 10 updates. I rebooted both machines just in case, but the issue persists. It's been that way more than 5 hours at this point.

My Web host confirms that their certificate is valid.
As a test I set up one of my email accounts in Mozilla Thunderbird, and it works perfectly. So it definitely appears that TheBat! isn't accepting the certificate for some reason. I am using version 9.4.4 64-bit.

Here is the full log error that I get:

2021-09-30, 15:58:32: FETCH - receiving mail messages
2021-09-30, 15:58:32: FETCH - Connecting to POP3 server mail.de.opalstack.com on port 995
2021-09-30, 15:58:32: FETCH - Initiating TLS handshake
>2021-09-30, 15:58:32: FETCH - Certificate S/N: 035C215C9F515BE5DA337172D779AC9E0632, algorithm: RSA (2048 bits), issued from 9/4/2021 6:42:32 AM to 12/3/2021 6:42:31 AM, for 1 host(s): *.de.opalstack.com.
>2021-09-30, 15:58:32: FETCH - Owner: "*.de.opalstack.com".
>2021-09-30, 15:58:32: FETCH - Issuer: "US", "Let's Encrypt", "R3". Valid from 9/4/2020 to 9/15/2025 4:00:00 PM.
>2021-09-30, 15:58:32: FETCH - Issuer: "US", "Internet Security Research Group", "ISRG Root X1". Valid from 1/20/2021 7:14:03 PM to 9/30/2024 6:14:03 PM.
>2021-09-30, 15:58:32: FETCH - Root: "Digital Signature Trust Co.", "DST Root CA X3". Valid from 9/30/2000 9:12:19 PM to 9/30/2021 2:01:15 PM. This certificate has expired!
!2021-09-30, 15:58:32: FETCH - TLS handshake failure. Invalid server certificate (This certificate has expired).
 
I see three possibilities:

1) You may need to add a certificate to the address book so that The Bat will trust it. The company in question, Let's Encrypt, is making its certificates available here:  https://letsencrypt.org/certificates/

2) You may have to temporarily switch The Bat from using its own certificates to using those in Windows. For this, go to Options | S/MIME and TLS and change the first setting there to Microsoft CryptoAPI.

3) Or there is a problem with the Bat's interpretation of the certificate, and the developers have to fix it.

ps: User Yann Schlame posted a similar problem report, which I've closed, here: https://www.ritlabs.com/en/auth-forums/forum4/topic15457/
I volunteer as a moderator to help keep the forum tidy. I do not work for Ritlabs SRL.
 
Quote
Daniel van Rooijen wrote:
You may have to temporarily switch The Bat from using its own certificates to using those in Windows. For this, go to Options | S/MIME and TLS and change the first setting there to Microsoft CryptoAPI.

Awesome! That fixes it for me. Thank you. :)

Of course I hope The Bat will also receive an update to get rid of the problem altogether, but as a workaround, that seems to do it.
 
Further to point 1:

In The Bat, certificates are handled through the Address Book. To add a certificate:

- Tools | Address Book (F8)
- In the address book: View | Certificate Address Books
- Select the relevant certificate section (intermediate or root)
- Click: File | New | Contact
- Go to the Certificates tab and click 'import' to import the file that holds the certificate.

As to this specific situation, I don't know which specific certificate has to be imported to fix the chain of trust, but hopefully you guys can figure that out yourselves, and maybe Let's Encrypt's tech support can help you if you send them your error log.
I volunteer as a moderator to help keep the forum tidy. I do not work for Ritlabs SRL.
 
Quote
Yann Schlame wrote:
Awesome! That fixes it for me. Thank you. :)

Happy to hear it! Hopefully it's not a bug in the certificate interpretation but simply a missing certificate (or The Bat may just be more strict than others).
I volunteer as a moderator to help keep the forum tidy. I do not work for Ritlabs SRL.
 
I confirm that the first two possibilities work, and that there is no problem with the Bat's interpretation.

Step-by-step details:

1)

a) Download ISRG Root X1 .der file from https://letsencrypt.org/certificates/
b) Go to Tools -> Address Book -> Trusted Root CA -> DST Root CA X3 -> (right click) Properties -> (tab) Certificates -> Import... and import the .der file
If Trusted Root CA is not visible in the Address Book, turn on the option from the View menu item.

OR

2)

Switch to Options -> S/MIME and TLS... -> Microsoft CryptoAPI
Edited: Miloš Radovanović - 30 September 2021 22:51:56 (Being more precise)
 
Thanks so much, Miloš! Great to hear that it's not a bug.

Even so, I have opened a support ticket to notify the developers. Maybe they should include that root certificate in The Bat.
I volunteer as a moderator to help keep the forum tidy. I do not work for Ritlabs SRL.
 
Yes, the devs should definitely include the new certificate. As is, servers that use the Let's Encrypt certificate chain are not supported out-of-the-box.
 
Quote
2) You may have to temporarily switch The Bat from using its own certificates to using those in Windows. For this, go to Options | S/MIME and TLS and change the first setting there to Microsoft CryptoAPI.
I used this option as well, it and resolved the issue. I'll try the first option when I have more time to be sure of exactly which cert I need.

Thanks for the help! :)

Edit: just saw Miloš Radovanović's post about it. I'll do it soon as I can.
Edited: cbiweb - 30 September 2021 22:58:47 (added more info)
 
Quote
Miloš Radovanović wrote:
Yes, the devs should definitely include the new certificate. As is, servers that use the Let's Encrypt certificate chain are not supported out-of-the-box.

Yes, I suppose so -- but are we talking about ISRG Root X1 (which had no error message in the log file) or about DST Root CA X3 (which had expired)?  

In line a) of your explanation, you say that ISRG Root X1 must be downloaded but in line B you seem to import it in the address book entry for DST Root CA X3.  Could it be that you meant to say in line a) that DST Root CA X3 must be downloaded? That would seem to make more sense to me, but I may well be mistaken.
I volunteer as a moderator to help keep the forum tidy. I do not work for Ritlabs SRL.
 
Very strange.  I'm using TB v9.3.4 and running three simultaneous instances of it on the same computer.  Downloading and installing a new certificate solved the problem in two of the instances but not the third.  When I switched to the Microsoft certificate the third instance began to work, but would resume failing when I switched back to the new certificate.

After an hour or so I started getting certificate failures on one of the two instances that was previously working with the new certificate, so I had to switch it to the Microsoft certificate too.  I'm now just patiently waiting for the third shoe (certificate) to drop.  All three instances worked fine together for years with the old certificate.

I also have another TB v9.3.4 installation on a totally separate computer.  The new certificate worked fine on it for a while but then started failing too so I had to switch to the Microsoft certificate.

Does anyone have any idea why this is happening?  Is there a reason not to simply use the Microsoft certificate for everything?
Edited: Ray Mitchell - 01 October 2021 05:43:29
 
Quote
Daniel van Rooijen wrote:
Yes, I suppose so -- but are we talking about ISRG Root X1 (which had no error message in the log file) or about DST Root CA X3 (which had expired)?

The Let's Encrypt team explain this in their post I linked in the other thread about the same problem:

https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/

The DST Root CA X3 certificate has expired for good and doesn't need any updating. It is now obsolete.

It appears as if The Bat does not contain/know the newer ISRG Root X1 certificate. This is the one that The Bat needs to import in order for Let's Encrypt certificates to be correctly validated again.
 
Quote
Yann Schlame wrote:

Quote Daniel van Rooijen  wrote:Yes, I suppose so -- but are we talking about ISRG Root X1 (which had no error message in the log file) or about DST Root CA X3 (which had expired)?

The Let's Encrypt team explain this in their post I linked in the other thread about the same problem: https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/ The DST Root CA X3 certificate has expired for good and doesn't need any updating. It is now obsolete.It appears as if The Bat does not contain/know the newer ISRG Root X1 certificate. This is the one that The Bat needs to import in order for Let's Encrypt certificates to be correctly validated again.
Yes, the ISRG Root X1 is the official successor to the now expired DST Root CA X3, that's why I used it. Importing the ISRG Root X1 .der file into the Address Book entry for DST Root CA X3 is the first thing I tried and it did the job. I can also confirm that creating a separate Address Book entry for ISRG Root X1 and importing the .der file there will also do the trick (of course, also deleting the certificate previously imported to the DST Root CA X3 entry). I guess this is a cleaner solution.
 
Quote
Ray Mitchell wrote:
After an hour or so I started getting certificate failures on one of the two instances that was previously working with the new certificate, so I had to switch it to the Microsoft certificate too.  I'm now just patiently waiting for the third shoe (certificate) to drop.  All three instances worked fine together for years with the old certificate.I also have another TB v9.3.4 installation on a totally separate computer.  The new certificate worked fine on it for a while but then started failing too so I had to switch to the Microsoft certificate.Does anyone have any idea why this is happening?  Is there a reason not to simply use the Microsoft certificate for everything?
I had no such problems, but it could be due to my first solution being a bit "dirty" and leaving the old certificate in the same Address Book entry. See my post above for a cleaner solution.

I don't know what are the pros and cons of using the Microsoft API, apart from it also working for me.
 
Hi, I have exactly the same problems. I am using the BAT version 9.3.4. (64 bits).

I do not want to get into technical-stuff (no my hobby), though I understand from my login-logs that the BAT certificate expired yesterday. as you can see hereunder.

>1-10-2021, 12:31:45: SEND  - Basis: "Digital Signature Trust Co.", "DST Root CA X3" Geldig van 30-9-2000 21:12:19 tot 30-9-2021 14:01:15. Dit S/MIME certificaat is verlopen!
!1-10-2021, 12:31:45: SEND  - TLS handdruk mislukt. Ongeldig servercertificaat (Dit S/MIME certificaat is verlopen).

I just would think that receiving an updated-file (with correct dates) would just be the best service.


I would also like to know more on the consequences of using Windows certificate and getting MS CryptoAPI  (option2).


Thanks.
 
Quote
Beatrice Boucher wrote:
Hi, I have exactly the same problems. I am using the BAT version 9.3.4. (64 bits).

I do not want to get into technical-stuff (no my hobby), though I understand from my login-logs that the BAT certificate expired yesterday. as you can see hereunder.

>1-10-2021, 12:31:45: SEND  - Basis: "Digital Signature Trust Co.", "DST Root CA X3"     Geldig van 30-9-2000 21:12:1  9    tot 30-9-2021  14:01:15. Dit S/MIME certificaat is verlopen!
!1-10-2021, 12:31:45: SEND  - TLS handdruk mislukt. Ongeldig servercertificaat (Dit S/MIME certificaat is verlopen).

I just would think that receiving an updated-file (with correct dates) would just be the best service.


I would also like to know more on the consequences of using Windows certificate and getting MS CryptoAPI  (option2).


Thanks.
I can't help with the question on option2, but here are the steps for the "cleaner" solution for option1:

a) Download https://letsencrypt.org/certs/isrgrootx1.der
b) In The Bat!, make sure that Internal Implementation is selected in Options -> S-MIME and TLS...
c) Tools -> Address Book
d) If Trusted Root CA is not visible in the Address Book, select View -> Certificate Address Books
e) Select Trusted Root CA, click Create New Contact
f) Tab General: enter "ISRG Root X1" in field First name, select "User-defined" in field Display name
g) Tab Business: enter "Internet Security Research Group" in field Company Name
h) Tab Certificates: Import... and select the downloaded file
 
Quote
Miloš Radovanović wrote:
[..] here are the steps for the "cleaner" solution for option1:

Many thanks for this fool-proof solution!
I volunteer as a moderator to help keep the forum tidy. I do not work for Ritlabs SRL.
 
Quote
Beatrice Boucher wrote:
I just would think that receiving an updated-file (with correct dates) would just be the best service.

Well, I doubt if Ritlabs would re-release older versions with the new certificate. Instead, I'd expect that the new certificate will be included in the next version, but that would force you to upgrade to that latest version.

Quote
I would also like to know more on the consequences of using Windows certificate and getting MS CryptoAPI  (option2).

Theoratically, using The Bat's private certificate store is more secure. The one built into Windows, that is used by most applications, is an interesting target for skilled hackers, and several exploits have been found in the past. Those do not affect The Bat because it has its own encryption/decryption/verification routines and its own store of certificates. Still, if you're not guarding national secrets, I wouldn't worry about it.
I volunteer as a moderator to help keep the forum tidy. I do not work for Ritlabs SRL.
 
Everyone: Please see the official notification by Ritlabs, which offers yet another good solution:

https://www.ritlabs.com/en/news/7666/
I volunteer as a moderator to help keep the forum tidy. I do not work for Ritlabs SRL.
 
Quote
Daniel van Rooijen wrote:
 Everyone: Please see the official notification by Ritlabs, which offers yet another good solution:

https://www.ritlabs.com/en/news/7666/  
I can confirm that the official solution by replacing the .ABD file works as well :)

The .ABD file is actually the whole Trusted Root CA address book entry. The devs added the ISRG Root X1 "contact" (as I described in post #16), and updated the DST Root CA X3 contact by importing the same new certificate (as I described in post #6) and deleting the old certificate.

I seem to have accumulated many more entries in Trusted Root CA than there are in the provided version, so I'll stick with my old manually updated one just in case.
 
Hi,
https://www.ritlabs.com/en/news/7666/    -> 404 :(

Thanks
 
Quote
pierrevg wrote:
https://www.ritlabs.com/en/news/7666/     -> 404 :(

This was an old problem and the file was probably removed because it was no longer relevant. btw, the issue discussed here was also discussed in another topic: https://www.ritlabs.com/en/forums/forum4/topic15458/

Are you having this same problem and if so, have you tried the suggestions offered here? If you have, which version of The Bat do you have?
I volunteer as a moderator to help keep the forum tidy. I do not work for Ritlabs SRL.
Pages: 1