http://www.ritlabs.com New posts in Let's Encrypt Certificate throws Expired error of forum at www.ritlabs.com [www.ritlabs.com] en http://backend.userland.com/rss2 Thu, 30 Sep 2021 22:27:43 +0300 Let's Encrypt Certificate throws Expired error DST Root CA X3 expired today and seems to cause The Bat to fail the certficate check in forum The Bat! - Configuring the E-mail Client.
Let's continue this discussion here, where user Cbiweb posted the same problem just before you did:

https://www.ritlabs.com/en/auth-forums/forum4/topic15456/
30 September 2021 22:27:43, Daniel van Rooijen.]]> http://www.ritlabs.com/en/forums/forum4/topic15457/message52334/ http://www.ritlabs.com/en/forums/forum4/topic15457/message52334/ Thu, 30 Sep 2021 22:27:43 +0300 The Bat! - Configuring the E-mail Client Let's Encrypt Certificate throws Expired error DST Root CA X3 expired today and seems to cause The Bat to fail the certficate check in forum The Bat! - Configuring the E-mail Client.

====quote====
cbiweb wrote:
I just posted about this as well. Hope it gets resolved quickly.
=============

Haha, yeah, just saw your post after I hit "Send" on mine.
30 September 2021 22:27:10, Yann Schlame.]]> http://www.ritlabs.com/en/forums/forum4/topic15457/message52333/ http://www.ritlabs.com/en/forums/forum4/topic15457/message52333/ Thu, 30 Sep 2021 22:27:10 +0300 The Bat! - Configuring the E-mail Client Let's Encrypt Certificate throws Expired error DST Root CA X3 expired today and seems to cause The Bat to fail the certficate check in forum The Bat! - Configuring the E-mail Client.
I just posted about this a few minutes before you as well. Hope it gets resolved quickly.
30 September 2021 22:25:37, cbiweb.]]> http://www.ritlabs.com/en/forums/forum4/topic15457/message52332/ http://www.ritlabs.com/en/forums/forum4/topic15457/message52332/ Thu, 30 Sep 2021 22:25:37 +0300 The Bat! - Configuring the E-mail Client Let's Encrypt Certificate throws Expired error DST Root CA X3 expired today and seems to cause The Bat to fail the certficate check in forum The Bat! - Configuring the E-mail Client.

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Moderator's note, Oct. 1st 2021: Ritlabs has addressed this issue in a statement that you can find HERE.
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

I run a several mailservers with Let's Encrypt certificates (*). This afternoon, The Bat Version 9.4.4 (64-bit) began showing an error for the mailservers' certificates.

Error fr om an internal IMAP server:


====quote====
30.09.2021, 20:02:46: IMAP  - Connecting to IMAP server mail.int.example.org on port 993
30.09.2021, 20:02:46: IMAP  - Initiating TLS handshake
>30.09.2021, 20:02:46: IMAP  - Certificate S/N: 03A5*****, algorithm: RSA (2048 bits), issued from 9/26/2021 3:51:34 AM to 12/25/2021 3:51:33 AM, for 2 host(s): mail.int.example.org, www.mail.int.example.org.
>30.09.2021, 20:02:46: IMAP  - Owner: "mail.int.example.org".
>30.09.2021, 20:02:46: IMAP  - Issuer: "US", "Let's Encrypt", "R3". Valid from 9/4/2020 to 9/15/2025 4:00:00 PM.
>30.09.2021, 20:02:46: IMAP  - Issuer: "US", "Internet Security Research Group", "ISRG Root X1". Valid from 1/20/2021 7:14:03 PM to 9/30/2024 6:14:03 PM.
>30.09.2021, 20:02:46: IMAP  - Root: "Digital Signature Trust Co.", "DST Root CA X3". Valid from 9/30/2000 9:12:19 PM to 9/30/2021 2:01:15 PM. This certificate has expired!
!30.09.2021, 20:02:46: IMAP  - TLS handshake failure. Invalid server certificate (This certificate has expired).

=============

Error from a public POP3 server:


====quote====
30.09.2021, 21:00:08: FETCH - receiving mail messages
30.09.2021, 21:00:08: FETCH - Connecting to POP3 server mail.example.org on port 995
30.09.2021, 21:00:08: FETCH - Initiating TLS handshake
>30.09.2021, 21:00:08: FETCH - Certificate S/N: 039D****, algorithm: RSA (2048 bits), issued from 7/19/2021 7:45:19 AM to 10/17/2021 7:45:17 AM, for 1 host(s): mail.example.org.
>30.09.2021, 21:00:08: FETCH - Owner: "mail.example.org".
>30.09.2021, 21:00:08: FETCH - Issuer: "US", "Let's Encrypt", "R3". Valid from 9/4/2020 to 9/15/2025 4:00:00 PM.
>30.09.2021, 21:00:08: FETCH - Issuer: "US", "Internet Security Research Group", "ISRG Root X1". Valid from 1/20/2021 7:14:03 PM to 9/30/2024 6:14:03 PM.
>30.09.2021, 21:00:08: FETCH - Root: "Digital Signature Trust Co.", "DST Root CA X3". Valid from 9/30/2000 9:12:19 PM to 9/30/2021 2:01:15 PM. This certificate has expired!
!30.09.2021, 21:00:08: FETCH - TLS handshake failure. Invalid server certificate (This certificate has expired).

=============

Today, Let's Encrypt's cross-signed certificate DST Root CA X3 expired, which had been announced in advance, see: https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/

Thunderbird clients on similar PCs connect to the internal IMAP server with no issues.

My operating system on the affected PC is: Windows 10 Home, Version 2004, Build 19041.1165

Since The Bat was able to connect to the mailserver without issues earlier this afternoon, I suspect the expired cross-signing certificate is the one causing the problem, as highlighted in the error message. According to Let's Encrypt's announcement, the Let's Encrypt Root certificate should still be considered valid, meaning that the entire certificate should be valid.

I can't tell wh ere the problem lies within the Certficate Chain, and would be grateful for pointers on how to fix the problem for my installation of The Bat.


(*) I have HTTP hosts set up with the same hostnames as the internal and public mailservers; these HTTP hosts retrieve and update their Let's Encrypt certificates through the normal renewal procedure. A bunch of custom shell scripts then copy the certificates into the postfix and dovecot config directories and restart the mailserver programs after every certificate update.
30 September 2021 22:12:59, Yann Schlame.]]> http://www.ritlabs.com/en/forums/forum4/topic15457/message52330/ http://www.ritlabs.com/en/forums/forum4/topic15457/message52330/ Thu, 30 Sep 2021 22:12:59 +0300 The Bat! - Configuring the E-mail Client