[MlMt] Markdown formatting
mailmate at randy.pensive.org
Wed Nov 24 19:45:26 EST 2021
On 12 Nov 2021, at 12:22, Bill Cole wrote:
> On 2021-11-12 at 13:34:46 UTC-0500 (Fri, 12 Nov 2021 10:34:46 -0800)
> Randall Gellens <mailmate at lists.freron.com>
> is rumored to have said:
>> I just tried to check for an update but received the error "SSL
>> certificate problem: certificate has expired", which might explain
>> why I wasn't aware there was anything newer.
> That's probably a consequence of the recent expiration of the root CA
> cert ("DST Root CA X3") on a secondary validation path for Let's
> Encrypt certificates. Sites serve the full trust chain of certs needed
> for all of their trust paths except for the root to all clients and
> many are still serving both the valid trust path and the one that
> relies on an expired root. There's actually no consensus on whether
> server and intermediate certs that were issued when a CA cert was
> valid should be considered invalid when the CA expires but the issued
> cert is still nominally valid.
> The fixes for that base problem vary between systems and can be
> confusing because an app can use the OS's security layer and its
> keychains of trusted CA certs or the Apple-distributed antique OpenSSL
> with a PEM bundle of CA certs in /etc/ssl/cert.pem or the MacPorts
> OpenSSL with the 'curl-ca-bundle' package that puts a link at
> /opt/local/etc/openssl/cert.pem which points to
> /opt/local/share/curl/curl-ca-bundle.crt. Or if you use Homebrew, you
> might have something in /usr/local/etc. Some apps may even bundle
> their own SSL libraries to do self-updates. I'm pretty sure MM just
> uses the system facilities, but if you have similar problems with
> other tools
> If Keychain Access will let you do so, you should remove "DST Root CA
> X3" from your System Roots keychain.
> On recent systems with SPI enabled, you can't do that so you can work
> around the problem by changing its Trust Settings to "Always Trust."
I don't seem to have such a certificate. Nothing matches "DST" or "X3"
> You also should check your keychains for multiple versions of the
> "ISRG Root X1" certificate, which SHOULD be a self-signed root CA cert
> in SystemRoots. However, you may also have another version in the
> System or login keychains which is NOT actually a root CA cert but
> rather is issued by that expired root CA cert. If you do have one of
> those, they need to go. If you are unable to remove non-root versions
> of the "ISRG Root X1" cert or do not have the root version in
> SystemRoots, you can get the current version from
> http://x1.i.lencr.org/ and import it into your System keychain.
> (imports into SystemRoots don't work.)
I only have one such certificate, which expires in 2035. Serial number
"00 82 10 CF B0 D2 40 E3 59 44 63 E0 BB 63 82 8B 00".
Given that I don't seem to have a "DST Root CA X3" cert and I have only
one "ISRG Root X1" cert, what do you suggest?
More information about the mailmate