[MlMt] Markdown formatting

Bill Cole mmlist-20120120 at billmail.scconsult.com
Fri Nov 12 15:22:55 EST 2021

On 2021-11-12 at 13:34:46 UTC-0500 (Fri, 12 Nov 2021 10:34:46 -0800)
Randall Gellens <mailmate at lists.freron.com>
is rumored to have said:

> I just tried to check for an update but received the error "SSL 
> certificate problem: certificate has expired", which might explain why 
> I wasn't aware there was anything newer.

That's probably a consequence of the recent expiration of the root CA 
cert ("DST Root CA X3") on a secondary validation path for Let's Encrypt 
certificates. Sites serve the full trust chain of certs needed for all 
of their trust paths except for the root to all clients and many are 
still serving both the valid trust path and the one that relies on an 
expired root. There's actually no consensus on whether server and 
intermediate certs that were issued when a CA cert was valid should be 
considered invalid when the CA expires but the issued cert is still 
nominally valid.

The fixes for that base problem vary between systems and can be 
confusing because an app can use the OS's security layer and its 
keychains of trusted CA certs or the Apple-distributed antique OpenSSL 
with a PEM bundle of CA certs in /etc/ssl/cert.pem  or the MacPorts 
OpenSSL with the 'curl-ca-bundle' package that puts a link at 
/opt/local/etc/openssl/cert.pem which points to 
/opt/local/share/curl/curl-ca-bundle.crt. Or if you use Homebrew, you 
might have something in /usr/local/etc. Some apps may even bundle their 
own SSL libraries to do self-updates. I'm pretty sure MM just uses the 
system facilities, but if you have similar problems with other tools

If Keychain Access will let you do so, you should remove "DST Root CA 
X3" from your System Roots keychain. On recent systems with SPI enabled, 
you can't do that so you can work around the problem by changing its 
Trust Settings to "Always Trust." You also should check your keychains 
for multiple versions of the "ISRG Root X1" certificate, which SHOULD be 
a self-signed root CA cert in SystemRoots. However, you may also have 
another version in the System or login keychains which is NOT actually a 
root CA cert but rather is issued by that expired root CA cert. If you 
do have one of those, they need to go. If you are unable to remove 
non-root versions of the "ISRG Root X1" cert or do not have the root 
version in SystemRoots, you can get the current version from 
http://x1.i.lencr.org/ and import it into your System keychain. (imports 
into SystemRoots don't work.)

Ideally, the fix is server-side. Servers like updates.mailmate-app.com 
should be reconfigured to send only the server certificate and its 
immediate issuer cert as the server's trust chain, NOT including the 
version of "ISRG Root X1" which is signed by the expired cert. That 
would break a DIFFERENT subset of older clients (which don't trust the 
ISRG root by default) which is probably why even Let's Encrypt's own 
servers are still sending the quasi-bogus cert.

Bill Cole
bill at scconsult.com or billcole at apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire

More information about the mailmate mailing list