Certificate validity error download.postgresql.org

2021-10-14 Thread Cedric Rey 
Hi guys,

the certificate on download.postgresql.org has expired :

openssl s_client -connect download.postgresql.org:443
CONNECTED(0003)
depth=3 O = Digital Signature Trust Co., CN = DST Root CA X3
verify error:num=10:certificate has expired
notAfter=Sep 30 14:01:15 2021 GMT
---
Certificate chain
0 s:/CN=ftp.postgresql.org
   i:/C=US/O=Let's Encrypt/CN=R3
1 s:/C=US/O=Let's Encrypt/CN=R3
   i:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
2 s:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3
---

Best Regards

Cédric


Cédric Rey
Ingénieur systèmes
Informatique / infrastructures

Tél. 058 758 3427
Mobile 079 699 00 12
www.groupemutuel.ch
_
Groupe Mutuel - Rue des Cèdres 5 - 1919 Martigny

-
https://www.groupemutuel.ch
https://www.facebook.com/groupemutuel.ch
https://twitter.com/Groupe_Mutuel
https://www.linkedin.com/company/groupe-mutuel
https://www.instagram.com/groupemutuel/

This e-mail may contain confidential and/or privileged information.
If you are not the intended recipient (or have received this e-mail in error) 
please notify the sender immediately and delete this e-mail.
Any unauthorized copying, disclosure or distribution of the material in this 
e-mail is strictly forbidden.

RE: Certificate validity error download.postgresql.org

2021-10-14 Thread Cedric Rey 
Hi, 

 It was indeed related to the ca-certificates package.

Thanks for your help!

Best Regards

-Message d'origine-
De : Christoph Moench-Tegeder [mailto:c...@burggraben.net] 
Envoyé : jeudi 14 octobre 2021 15:29
À : Cedric Rey 
Cc : pgsql-general@lists.postgresql.org
Objet : Re: Certificate validity error download.postgresql.org

## Cedric Rey (ce...@groupemutuel.ch):

> the certificate on download.postgresql.org has expired :
> 
> openssl s_client -connect download.postgresql.org:443
> CONNECTED(0003)
> depth=3 O = Digital Signature Trust Co., CN = DST Root CA X3 verify 
> error:num=10:certificate has expired notAfter=Sep 30 14:01:15 2021 GMT

That's complaining about the "DST Root CA X3" certificate, and that's
(partially) expected: https://letsencrypt.org/2021/10/01/cert-chaining-help.html

But the fact that you're seeing this indicates that you're either running an 
horribly outdated version of openssl (as Daniel mentioned), but even CentOS' 
"OpenSSL 1.0.2k-fips  26 Jan 2017" has been fixed in this regard.
The other possibility is that your trusted CA list is outdated: that would be 
package ca-certificates (same name in deb and rpm world).
I do know from my own experience that at least the "old" (2020.2.something) 
Redhat package is missing the new "ISRG Root X1" certificate, you'll need 
version 2021.2.something.

Regards,
Christoph

--
Spare Space
-
https://www.groupemutuel.ch
https://www.facebook.com/groupemutuel.ch
https://twitter.com/Groupe_Mutuel
https://www.linkedin.com/company/groupe-mutuel
https://www.instagram.com/groupemutuel/

This e-mail may contain confidential and/or privileged information.
If you are not the intended recipient (or have received this e-mail in error) 
please notify the sender immediately and delete this e-mail.
Any unauthorized copying, disclosure or distribution of the material in this 
e-mail is strictly forbidden.

RE: Certificate validity error download.postgresql.org

2021-10-14 Thread Cedric Rey 
rpm -q ca-certificates --changelog
* Tue Sep 14 2021 Bob Relyea  - 2021.2.50-72
- Fix expired certificate.
-Removing:
- # Certificate "DST Root CA X3"


As you can see they just remove the old "DST Root CA X3" in the latest el7 
ca-certificate version  which correct the problem I had before.

Openssl v1.0.2 is still the default version for Red Hat 7 and is already in the 
latest version available.

So no, it wasn't a failure to update ca-certificates for "several years" but 
for several days since the latest ca-certificates rpm was release Sep 14 2021.

Anyway thanks for pointing me out that it was an error related to this expired 
Root CA and not related to postgresql download site certificate.

Regards,

Cédric

-Message d'origine-
De : Tom Lane [mailto:t...@sss.pgh.pa.us] 
Envoyé : jeudi 14 octobre 2021 16:51
À : Christoph Moench-Tegeder 
Cc : Cedric Rey ; pgsql-general@lists.postgresql.org
Objet : Re: Certificate validity error download.postgresql.org

Christoph Moench-Tegeder  writes:
> I do know from my own experience that at least the "old" 
> (2020.2.something) Redhat package is missing the new "ISRG Root X1" 
> certificate, you'll need version 2021.2.something.

Seems unlikely that it changed that recently, for a couple of reasons:

* AFAICT, Red Hat's policy is to track the Mozilla NSS trusted-CA list exactly. 
 They do update from there only once a year or so, but NSS has trusted ISRG 
Root X1 for five years.

* Looking at "rpm -q ca-certificates --changelog" on a RHEL8 machine, the 
package maintainer appears to have started a policy in mid-2019 of listing 
every single cert addition and removal in the changelog.
None of the updates since then mention ISRG Root X1.

* While Let's Encrypt's list of compatible platforms [1] doesn't mention Red 
Hat directly, they do say that NSS has trusted X1 since release 3.26.
According to the changelog, Red Hat adopted that in August 2016:

* Tue Aug 16 2016 Kai Engert  - 2016.2.9-3
- Revert to the unmodified upstream CA list, changing the legacy trust
  to an empty list. Keeping the ca-legacy tool and existing config,
  however, the configuration has no effect after this change.

* Tue Aug 16 2016 Kai Engert  - 2016.2.9-2
- Update to CKBI 2.9 from NSS 3.26 with legacy modifications

So it sure looks from here like Red Hat has trusted the X1 certificate since 
mid-2016, pretty much the same length of time as other major distros.  The most 
probable explanation for the OP's problem seems to be failure to update 
ca-certificates and/or openssl at all for several years.

regards, tom lane

[1] https://letsencrypt.org/docs/certificate-compatibility/
-
https://www.groupemutuel.ch
https://www.facebook.com/groupemutuel.ch
https://twitter.com/Groupe_Mutuel
https://www.linkedin.com/company/groupe-mutuel
https://www.instagram.com/groupemutuel/

This e-mail may contain confidential and/or privileged information.
If you are not the intended recipient (or have received this e-mail in error) 
please notify the sender immediately and delete this e-mail.
Any unauthorized copying, disclosure or distribution of the material in this 
e-mail is strictly forbidden.