On Wed, Apr 19, 2023 at 01:39:02AM +0200, Marco d'Itri wrote: > Package: lighttpd > Version: 1.4.69-1 > Severity: normal > > I am using the latest openssl and lighttpd packages on an armhf (with an > arm64 kernel) and an amd64 system, and only on the armhf system I always > get this warning at startup even just after having created a Let's > Encrypt certificate. > > Apr 19 01:23:31 omitted.mi.bofh.it lighttpd[8876]: 2023-04-19 01:23:30: > (mod_openssl.c.1335) SSL: inactive/expired X509 certificate > '/var/lib/dehydrated/certs/omitted.mi.bofh.it/fullchain.pem' > > # openssl x509 -noout -text -in > /var/lib/dehydrated/certs/bokassa.mi.bofh.it/fullchain.pem | grep -A2 Validity > Validity > Not Before: Apr 18 22:13:45 2023 GMT > Not After : Jul 17 22:13:44 2023 GMT > > After looking at > https://github.com/lighttpd/lighttpd1.4/blob/fdb7ffed88b9dfe09a51e7fb58e5ddfe938c1ec9/src/mod_openssl.c#L1284 > > I wonder if this is common on all 32 bit systems instead.
No, this is not common on all 32-bit systems, though I am curious as to why you are seeing that warning with a valid certificate. To try to reproduce this, I took some LE certs and put them on a 32-bit ARM system I have (which is running openwrt, not Debian) $ uname -m armv7l $ cat /proc/cpuinfo | egrep "model|Features" model name : ARMv7 Processor rev 1 (v7l) Features : half thumb fastmult vfp edsp neon vfpv3 tls vfpd32 $ file /usr/sbin/lighttpd /usr/sbin/lighttpd: ELF 32-bit LSB pie executable, ARM, EABI5 version 1 (SYSV), dynamically linked, interpreter /lib/ld-musl-armhf.so.1, no section header The vfpv3 and /lib/ld-musl-armhf.so.1 confirms to me this is an armhf. See also: https://www.baeldung.com/linux/arm64-armel-armhf-overview My cert: $ openssl x509 -noout -text -in /tmp/xxxxx.com/fullchain.pem | grep -A2 Validity Validity Not Before: Apr 10 22:15:43 2023 GMT Not After : Jul 9 22:15:42 2023 GMT ==> I did not get any warning trace on that system with: $ lighttpd -f test.conf -tt using my LE certificates, though that test system has only lighttpd 1.4.67 at the moment. My test system is running a 32-bit kernel. Please confirm you are running an arm64 kernel, as you posted above. What lighttpd package (from which architecture) do you have installed? $ file /usr/sbin/lighttpd might be useful. Please ensure that you have installed the proper package for your architecture. Is your system openssl-based or libressl-based? The only changes between lighttpd 1.4.67 and lighttpd 1.4.69 in lighttpd mod_openssl that seemed to be related to this issue is that lighttpd mod_openssl started using libressl ASN1_TIME_cmp_time_t() when LIBRESSL_VERSION_NUMBER >= 0x3060000fL and this also requires that lighttpd mod_openssl was built with libressl. The standard Debian package for lighttpd mod_openssl is built with openssl.
