Rocksolid Light

Welcome to novaBBS (click a section below)

mail  files  register  newsreader  groups  login

Message-ID:  

Only a fool fights in a burning house. -- Kank the Klingon, "Day of the Dove", stardate unknown

computers / alt.privacy.anon-server / LetsEncrypt's DST Root CA X3 certificate

SubjectAuthor
* LetsEncrypt's DST Root CA X3 certificateAnonymous
+- Re: LetsEncrypt's DST Root CA X3 certificateAnonymous
`* Re: LetsEncrypt's DST Root CA X3 certificatermd
 `* Re: LetsEncrypt's DST Root CA X3 certificateSEC3
  +* Re: LetsEncrypt's DST Root CA X3 certificateNomen Nescio
  |`- Re: LetsEncrypt's DST Root CA X3 certificateSEC3
  `- Re: LetsEncrypt's DST Root CA X3 certificatermd

1
LetsEncrypt's DST Root CA X3 certificate

<20211006.080348.bcbefd5d@mixmin.net>

  copy mid

https://www.novabbs.com/computers/article-flat.php?id=9860&group=alt.privacy.anon-server#9860

  copy link   Newsgroups: alt.privacy.anon-server
Injection-Date: Wed, 6 Oct 2021 07:05:01 +0000 (UTC)
Message-ID: <20211006.080348.bcbefd5d@mixmin.net>
Subject: LetsEncrypt's DST Root CA X3 certificate
Comments: This message was transferred to Usenet via mail2news gateway at
<mail2news@neodome.net>. Please send questions and concerns to
<admin@neodome.net>. Report inappropriate use to <abuse@neodome.net>.
Date: Wed, 6 Oct 2021 08:03:48 +0100
Path: rocksolid2!news.neodome.net!mail2news
Newsgroups: alt.privacy.anon-server
Injection-Info: neodome.net;
posting-account="mail2news";
key="WZQv7BbTCclBAIcuoXvYWDAlC2q1kevN3hFBjx3dr47ydj+RzRFgMqdabiM4+kIPtYbE1J
yeTY+U9K5BLslK8LwgprJ6xpUOtlRVSxxyYSFEyKVPiOsuBIa+EF7cx94+fHzAJEfGukAghaDn6
eYcXpZAaQ/USlgFjVRCXRIGBXL8lAeVNEGN7pw66wDupAXvccxbOTAZIHd/tLdssni2shF+B1Eq
iIcO4afYTKv/bWSGopSENd9+G3lvBKkemQS6l4+VxSXKo8Ls6ioI2Oi9oGHDxyZjL7ppvRwe66S
OJrrz/S7VxclBzYq7o0yDkFmlQzsxOLaIbrUK90VHSRhHDg==";
data="U2FsdGVkX1/F4PZA0qbCbp/QeEJkWvfMW1IHmZesCYscWLUZodScqUjTZB4rBKZqf0yUJ
9N26SOgwVcHwXYHwrK8G8PITym9rMMwlU0twH08uE6d/7DKamSkUyvwFvaU7DBVCuGABSjdpUuk
y6Ih7Du8cYgyFZqN773yAixrsAER2Z8gplTvOSnENWtT8sXVJzlLEuW2Gm0ll4ahAAmzN/PHUiT
MKG7r26/7ui71PCQ0KzeyhhSR4aifPqUwqiklDYYVzApNtioQpyVRE3l6/X9swNVCeToFYgNgw4
qVmzBGdP08SrqXZUrM1ZwMbqeUm3XMhoPOWcOeNDEgTgOcdSFz3RIL4kGTk6FdQ3LxZcMWehi7B
Oky4P2uP4AX2aowdX0nHFEYcu5VWTRiA+FgnYddhjkWdxla1HD5Rt2jErX1ertdzBXHruzb7jAo
mtn1KxbYNMBcT9Yl4zFMS2uaH596MlZRP3N/wFjHBmpzh0BKCVL+YX6bhGii9dM+drTguhurKlH
zPYWMPnvXLwgerMICuxG/8d004SodeMuFuXuEDi+eZAfu70nXtXVDxnakpQZv+8hZjo8jNNz/4K
6o5EQWV3iDkrhlWUUiDRJt1jyldfBDbWjn+cYt8MwiOVGSgh6xjkV3YPslVVpupLzccPtH0zQ1Z
kyhC9gC1MCxWIhrKhHN0Ax1bD5xPlWGIz3ZWPNzYAzB9O/nx2FXS/VQY9bAKlUJdezpW4LdvLZG
/DpHS2lPy0SkAa/6aYzY9bmUKsLzeFrnfseCU5UaidZvrAN17kofvYBataWtEggaGMwhnR82En1
5uxhsYKWORAROOpVT6D7gx8bbNtdLqCAxJJCfdDFkXiPZ/LyKXx/ltqdm7MiKZ3Bqt1v/7/45jc
5hv+ytl/66DkSiTvn8zLfrmnRI4kb8cCQ1YGtecnUfZ1Zkfh8jy7Q75uH1NqcklgCECG3r/t0+n
8WpZdDGYsymQGuV/G8scbE8XpNCZfxgiLDirEtPeSOvlbA23KauBdHwSltWPENrp0IjTueIkZBC
RA==";
mail-complaints-to="abuse@neodome.net"
From: remai...@domain.invalid (Anonymous)
 by: Anonymous - Wed, 6 Oct 2021 07:03 UTC

The PROBLEM:

The "DST Root CA X3" certificate on your server has expired and has
not been updated. Why? Because your OS is very old.

THE FIX:

Assuming you are using Debian8, Ubuntu16.04 or an even older
end-of-life OS.

sudo dpkg-reconfigure ca-certificates

On the first screen that prompts "Trust new certificates from
certificate authorities?" choose "yes".

On the next screen press the down arrow key on your keyboard
until you find mozilla/DST_Root_CA_X3.crt. Press the space
bar to deselect it (the [*] should turn into [ ]) and press
Enter.

sudo update-ca-certificates

Re: LetsEncrypt's DST Root CA X3 certificate

<sjk58l$j37$1@news.mixmin.net>

  copy mid

https://www.novabbs.com/computers/article-flat.php?id=9863&group=alt.privacy.anon-server#9863

  copy link   Newsgroups: alt.privacy.anon-server
Path: rocksolid2!news.neodome.net!news.mixmin.net!.POSTED!not-for-mail
From: nob...@remailer.paranoici.org (Anonymous)
Newsgroups: alt.privacy.anon-server
Subject: Re: LetsEncrypt's DST Root CA X3 certificate
Date: Wed, 6 Oct 2021 07:36:38 -0500
Organization: Mixmin
Message-ID: <sjk58l$j37$1@news.mixmin.net>
References: <20211006.080348.bcbefd5d@mixmin.net>
Injection-Date: Wed, 6 Oct 2021 12:36:39 -0000 (UTC)
Injection-Info: news.mixmin.net; posting-host="f91d5bfaa1aae4ce6586131d7b5d0809b4f74270";
logging-data="19559"; mail-complaints-to="abuse@mixmin.net"
 by: Anonymous - Wed, 6 Oct 2021 12:36 UTC

>
> The PROBLEM:
>
> The "DST Root CA X3" certificate on your server has expired and has
> not been updated. Why? Because your OS is very old.
>
> THE FIX:
>
> Assuming you are using Debian8, Ubuntu16.04 or an even older
> end-of-life OS.
>
> sudo dpkg-reconfigure ca-certificates
>
> On the first screen that prompts "Trust new certificates from
> certificate authorities?" choose "yes".
>
> On the next screen press the down arrow key on your keyboard
> until you find mozilla/DST_Root_CA_X3.crt. Press the space
> bar to deselect it (the * should turn into ) and press
> Enter.
>
> sudo update-ca-certificates

Thanks.

Re: LetsEncrypt's DST Root CA X3 certificate

<sjk643$lgv$1@news.mixmin.net>

  copy mid

https://www.novabbs.com/computers/article-flat.php?id=9864&group=alt.privacy.anon-server#9864

  copy link   Newsgroups: alt.privacy.anon-server
Path: rocksolid2!i2pn.org!aioe.org!news.mixmin.net!.POSTED!not-for-mail
From: rem...@not-for-mail.invalid (rmd)
Newsgroups: alt.privacy.anon-server
Subject: Re: LetsEncrypt's DST Root CA X3 certificate
Date: Wed, 6 Oct 2021 07:51:16 -0500
Organization: Mixmin
Message-ID: <sjk643$lgv$1@news.mixmin.net>
References: <20211006.080348.bcbefd5d@mixmin.net>
Injection-Date: Wed, 6 Oct 2021 12:51:16 -0000 (UTC)
Injection-Info: news.mixmin.net; posting-host="d78b4684d50309e3e4ac88203f0a54ee0dccf636";
logging-data="22047"; mail-complaints-to="abuse@mixmin.net"
 by: rmd - Wed, 6 Oct 2021 12:51 UTC

>
> The PROBLEM:
>
> The "DST Root CA X3" certificate on your server has expired and has
> not been updated. Why? Because your OS is very old.
>
> THE FIX:
>
> Assuming you are using Debian8, Ubuntu16.04 or an even older
> end-of-life OS.
>
> sudo dpkg-reconfigure ca-certificates
>
> On the first screen that prompts "Trust new certificates from
> certificate authorities?" choose "yes".
>
> On the next screen press the down arrow key on your keyboard
> until you find mozilla/DST_Root_CA_X3.crt. Press the space
> bar to deselect it (the * should turn into ) and press
> Enter.
>
> sudo update-ca-certificates

Nothing shows up in /etc/ca-certificates/update.d

Re: LetsEncrypt's DST Root CA X3 certificate

<INi7J.308218$ZXL.185191@fx09.ams1>

  copy mid

https://www.novabbs.com/computers/article-flat.php?id=9865&group=alt.privacy.anon-server#9865

  copy link   Newsgroups: alt.privacy.anon-server
Path: rocksolid2!news.neodome.net!feeder5.feed.usenet.farm!feeder1.feed.usenet.farm!feed.usenet.farm!newsreader4.netcologne.de!news.netcologne.de!peer03.ams1!peer.ams1.xlned.com!news.xlned.com!fx09.ams1.POSTED!not-for-mail
From: adm...@sec3.net (SEC3)
Subject: Re: LetsEncrypt's DST Root CA X3 certificate
Newsgroups: alt.privacy.anon-server
References: <20211006.080348.bcbefd5d@mixmin.net>
<sjk643$lgv$1@news.mixmin.net>
X-Mozilla-News-Host: news://eunews.blocknews.net
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101
Thunderbird/78.13.0
MIME-Version: 1.0
In-Reply-To: <sjk643$lgv$1@news.mixmin.net>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Lines: 55
Message-ID: <INi7J.308218$ZXL.185191@fx09.ams1>
X-Complaints-To: abuse@blocknews.net
NNTP-Posting-Date: Wed, 06 Oct 2021 14:55:36 UTC
Organization: blocknews - www.blocknews.net
Date: Wed, 6 Oct 2021 10:55:35 -0400
X-Received-Bytes: 2421
 by: SEC3 - Wed, 6 Oct 2021 14:55 UTC

On 2021-10-06 8:51 a.m., rmd wrote:
>>
>> The PROBLEM:
>>
>> The "DST Root CA X3" certificate on your server has expired and has
>> not been updated. Why? Because your OS is very old.
>>
>> THE FIX:
>>
>> Assuming you are using Debian8, Ubuntu16.04 or an even older
>> end-of-life OS.
>>
>> sudo dpkg-reconfigure ca-certificates
>>
>> On the first screen that prompts "Trust new certificates from
>> certificate authorities?" choose "yes".
>>
>> On the next screen press the down arrow key on your keyboard
>> until you find mozilla/DST_Root_CA_X3.crt. Press the space
>> bar to deselect it (the * should turn into ) and press
>> Enter.
>>
>> sudo update-ca-certificates
>
> Nothing shows up in /etc/ca-certificates/update.d
>

My servers are all Debian 10 or 11 so I am not experienceing this issue.
But the above instructions merely disables the expired cert. Your system
should, I believe, already have LetsEncrypt's replacement root cert:
mozilla/ISRG_Root_X1.crt

$ grep X1 /etc/ca-certificates.conf

mozilla/ISRG_Root_X1.crt

With that cert in place and the expired cert disabled your errors when
using mixmaster-getstats should disappear. Whether Mixmaster uses wget
or curl shouldn't matter. Both should now work without complaining.

curl -I https://www.mixmin.net/echolot/pubring.mix

HTTP/1.1 200 OK
Date: Wed, 06 Oct 2021 14:54:06 GMT
Server: Apache/2.4.38 (Debian)
Last-Modified: Wed, 06 Oct 2021 08:00:01 GMT
ETag: "4246-5cdaa8877ff7f"
Accept-Ranges: bytes
Content-Length: 16966

--
SEC3

YAMN Tutorials - https://sec3.net/yamnhelp

Re: LetsEncrypt's DST Root CA X3 certificate

<9ed8fbbe92ff477ee05fea65ddae9f54@dizum.com>

  copy mid

https://www.novabbs.com/computers/article-flat.php?id=9866&group=alt.privacy.anon-server#9866

  copy link   Newsgroups: alt.privacy.anon-server
From: nob...@dizum.com (Nomen Nescio)
Subject: Re: LetsEncrypt's DST Root CA X3 certificate
References: <20211006.080348.bcbefd5d@mixmin.net>
<sjk643$lgv$1@news.mixmin.net> <INi7J.308218$ZXL.185191@fx09.ams1>
Message-ID: <9ed8fbbe92ff477ee05fea65ddae9f54@dizum.com>
Date: Wed, 6 Oct 2021 18:26:46 +0200 (CEST)
Newsgroups: alt.privacy.anon-server
Path: rocksolid2!i2pn.org!aioe.org!news.uzoreto.com!alphared!sewer!news.dizum.net!not-for-mail
Organization: dizum.com - The Internet Problem Provider
X-Abuse: abuse@dizum.com
Injection-Info: sewer.dizum.com - 2001::1/128
 by: Nomen Nescio - Wed, 6 Oct 2021 16:26 UTC

On 2021-10-06, SEC3 <admin@sec3.net> wrote:

> With that cert in place and the expired cert disabled your errors when
> using mixmaster-getstats should disappear.

Disabling the old certificate is needed if OpenSSL < 1.1, LibreSSL < 3.2 or
GnuTLS < 3.6.14 is in use and the server still includes the old chain (for
compatibility with ancient version of Android).

"older versions of OpenSSL will reject a certificate chain that includes a
signature by an expired root, even if OpenSSL could validate the chain by
ignoring that certificate."

https://community.letsencrypt.org/t/openssl-client-compatibility-changes-for-let-s-encrypt-certificates/143816

Re: LetsEncrypt's DST Root CA X3 certificate

<sjmq94$tth$1@news.mixmin.net>

  copy mid

https://www.novabbs.com/computers/article-flat.php?id=9870&group=alt.privacy.anon-server#9870

  copy link   Newsgroups: alt.privacy.anon-server
Path: rocksolid2!i2pn.org!aioe.org!news.mixmin.net!.POSTED!not-for-mail
From: rem...@not-for-mail.invalid (rmd)
Newsgroups: alt.privacy.anon-server
Subject: Re: LetsEncrypt's DST Root CA X3 certificate
Date: Thu, 7 Oct 2021 07:47:33 -0500
Organization: Mixmin
Message-ID: <sjmq94$tth$1@news.mixmin.net>
References: <INi7J.308218$ZXL.185191@fx09.ams1>
Injection-Date: Thu, 7 Oct 2021 12:47:33 -0000 (UTC)
Injection-Info: news.mixmin.net; posting-host="9fa00cb090067f82b25f1668777eb2455f6f6d5d";
logging-data="30641"; mail-complaints-to="abuse@mixmin.net"
 by: rmd - Thu, 7 Oct 2021 12:47 UTC

>
> On 2021-10-06 8:51 a.m., rmd wrote:
>
>>>
>>> The PROBLEM:
>>>
>>> The "DST Root CA X3" certificate on your server has expired and has
>>> not been updated. Why? Because your OS is very old.
>>>
>>> THE FIX:
>>>
>>> Assuming you are using Debian8, Ubuntu16.04 or an even older
>>> end-of-life OS.
>>>
>>> sudo dpkg-reconfigure ca-certificates
>>>
>>> On the first screen that prompts "Trust new certificates from
>>> certificate authorities?" choose "yes".
>>>
>>> On the next screen press the down arrow key on your keyboard
>>> until you find mozilla/DST_Root_CA_X3.crt. Press the space
>>> bar to deselect it (the * should turn into ) and press
>>> Enter.
>>>
>>> sudo update-ca-certificates
>>
>> Nothing shows up in /etc/ca-certificates/update.d
>>
>
> My servers are all Debian 10 or 11 so I am not experienceing this issue. But the above instructions merely disables the expired cert. Your system should, I believe, already have LetsEncrypt's replacement root cert: mozilla/ISRG_Root_X1.crt
>
> $ grep X1 /etc/ca-certificates.conf
>
> mozilla/ISRG_Root_X1.crt
>
> With that cert in place and the expired cert disabled your errors when using mixmaster-getstats should disappear. Whether Mixmaster uses wget or curl shouldn't matter. Both should now work without complaining.
>
> curl -I https://www.mixmin.net/echolot/pubring.mix
>
> HTTP/1.1 200 OK
> Date: Wed, 06 Oct 2021 14:54:06 GMT
> Server: Apache/2.4.38 (Debian)
> Last-Modified: Wed, 06 Oct 2021 08:00:01 GMT
> ETag: "4246-5cdaa8877ff7f"
> Accept-Ranges: bytes
> Content-Length: 16966
>

Upon trying to re-configure, this was skipped: mozilla/ACCVRAIZ1.crt
I re-enabled it and ran again.

This seems to be working again, so I'll keep an eye on it.

0 6,12,23 * * * /usr/bin/mixmaster-getstats &> /dev/null

Re: LetsEncrypt's DST Root CA X3 certificate

<lTD7J.246420$ya7f.30620@fx10.ams1>

  copy mid

https://www.novabbs.com/computers/article-flat.php?id=9872&group=alt.privacy.anon-server#9872

  copy link   Newsgroups: alt.privacy.anon-server
Path: rocksolid2!news.neodome.net!feeder1.feed.usenet.farm!feed.usenet.farm!newsreader4.netcologne.de!news.netcologne.de!peer03.ams1!peer.ams1.xlned.com!news.xlned.com!fx10.ams1.POSTED!not-for-mail
Subject: Re: LetsEncrypt's DST Root CA X3 certificate
Newsgroups: alt.privacy.anon-server
References: <20211006.080348.bcbefd5d@mixmin.net>
<sjk643$lgv$1@news.mixmin.net> <INi7J.308218$ZXL.185191@fx09.ams1>
<9ed8fbbe92ff477ee05fea65ddae9f54@dizum.com>
From: adm...@sec3.net (SEC3)
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101
Thunderbird/78.13.0
MIME-Version: 1.0
In-Reply-To: <9ed8fbbe92ff477ee05fea65ddae9f54@dizum.com>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Lines: 25
Message-ID: <lTD7J.246420$ya7f.30620@fx10.ams1>
X-Complaints-To: abuse@blocknews.net
NNTP-Posting-Date: Thu, 07 Oct 2021 14:55:13 UTC
Organization: blocknews - www.blocknews.net
Date: Thu, 7 Oct 2021 10:55:12 -0400
X-Received-Bytes: 1823
 by: SEC3 - Thu, 7 Oct 2021 14:55 UTC

On 2021-10-06 12:26 p.m., Nomen Nescio wrote:
> On 2021-10-06, SEC3 <admin@sec3.net> wrote:
>
>> With that cert in place and the expired cert disabled your errors when
>> using mixmaster-getstats should disappear.
>
> Disabling the old certificate is needed if OpenSSL < 1.1, LibreSSL < 3.2 or
> GnuTLS < 3.6.14 is in use and the server still includes the old chain (for
> compatibility with ancient version of Android).
>
> "older versions of OpenSSL will reject a certificate chain that includes a
> signature by an expired root, even if OpenSSL could validate the chain by
> ignoring that certificate."
>
> https://community.letsencrypt.org/t/openssl-client-compatibility-changes-for-let-s-encrypt-certificates/143816
>

Thanks for this clarification. I see now it is not necessarily the age
of the OS but rather the version of OpenSSL being used that precipitates
this issue.

--
SEC3

YAMN Tutorials - https://sec3.net/yamnhelp

1
server_pubkey.txt

rocksolid light 0.9.81
clearnet tor