[MlMt] Markdown formatting

Randall Gellens mailmate at randy.pensive.org
Wed Nov 24 19:45:26 EST 2021

On 12 Nov 2021, at 12:22, Bill Cole wrote:

> On 2021-11-12 at 13:34:46 UTC-0500 (Fri, 12 Nov 2021 10:34:46 -0800)
> Randall Gellens <mailmate at lists.freron.com>
> is rumored to have said:
>> I just tried to check for an update but received the error "SSL 
>> certificate problem: certificate has expired", which might explain 
>> why I wasn't aware there was anything newer.
> That's probably a consequence of the recent expiration of the root CA 
> cert ("DST Root CA X3") on a secondary validation path for Let's 
> Encrypt certificates. Sites serve the full trust chain of certs needed 
> for all of their trust paths except for the root to all clients and 
> many are still serving both the valid trust path and the one that 
> relies on an expired root. There's actually no consensus on whether 
> server and intermediate certs that were issued when a CA cert was 
> valid should be considered invalid when the CA expires but the issued 
> cert is still nominally valid.
> The fixes for that base problem vary between systems and can be 
> confusing because an app can use the OS's security layer and its 
> keychains of trusted CA certs or the Apple-distributed antique OpenSSL 
> with a PEM bundle of CA certs in /etc/ssl/cert.pem  or the MacPorts 
> OpenSSL with the 'curl-ca-bundle' package that puts a link at 
> /opt/local/etc/openssl/cert.pem which points to 
> /opt/local/share/curl/curl-ca-bundle.crt. Or if you use Homebrew, you 
> might have something in /usr/local/etc. Some apps may even bundle 
> their own SSL libraries to do self-updates. I'm pretty sure MM just 
> uses the system facilities, but if you have similar problems with 
> other tools
> If Keychain Access will let you do so, you should remove "DST Root CA 
> X3" from your System Roots keychain.
> On recent systems with SPI enabled, you can't do that so you can work 
> around the problem by changing its Trust Settings to "Always Trust."

I don't seem to have such a certificate. Nothing matches "DST" or "X3" 

> You also should check your keychains for multiple versions of the 
> "ISRG Root X1" certificate, which SHOULD be a self-signed root CA cert 
> in SystemRoots. However, you may also have another version in the 
> System or login keychains which is NOT actually a root CA cert but 
> rather is issued by that expired root CA cert. If you do have one of 
> those, they need to go. If you are unable to remove non-root versions 
> of the "ISRG Root X1" cert or do not have the root version in 
> SystemRoots, you can get the current version from 
> http://x1.i.lencr.org/ and import it into your System keychain. 
> (imports into SystemRoots don't work.)

I only have one such certificate, which expires in 2035.  Serial number 
"00 82 10 CF B0 D2 40 E3 59 44 63 E0 BB 63 82 8B 00".

Given that I don't seem to have a "DST Root CA X3" cert and I have only 
one "ISRG Root X1" cert, what do you suggest?

More information about the mailmate mailing list