Coming soon: Your brand new Help Center & Community! Get a sneak-peek here

Issue trusting new Lets Encrypt-certificates

Since 2021-09-30, our on premise 8.5r10 has been having issues trusting certificates issued by Let's Encrypt, which I think is related to this: https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/

This causes issues with a few integrations to our other internal systems, mainly scheduled CRMscripts sending requests to retrieve JSON. There were no issues prior to the 30th of September...

 

The debug output from an HTTP instance attempting GET on any URL where Lets Encrypt certificates are used informs me that "SSL certificate problem: certificate has expired"

No browsers are having issues nor do they report on the certificate having expired. I can replicate the issue on two wholly separate and isolated installations of 8.5r10 by simply attempting the HTTP.get(String) method with on any server using Lets Encrypt, i.e:

  • https://curl.se
  • https://regjeringen.no/
#setLanguageLevel 3;

HTTP h;
h.setDebugMode(true);
h.get("https://curl.se/");
if(h.hasError())
{
  printLine(h.getDebug());
} else
{
  printLine("ok");
}

 

Since Service doesn't use the Windows Certificate Store but only the provided curl-ca-bundle.crt in the Service-folder on the server, I assume this CA certificate doesn't trust the new Let's Encrypt root certificate?

Here is the complete output from the code above:

== Info
CURLOPT_SSL_VERIFYHOST no longer supports 1 as value!

== Info
Trying 151.101.66.49...

== Info
TCP_NODELAY set

== Info
Connected to curl.se (151.101.66.49) port 443 (#0)

== Info
ALPN, offering http/1.1

== Info
Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH

== Info
successfully set certificate verify locations:

== Info
CAfile: E:SuperOfficeSO_CS/curl-ca-bundle.crt
CApath: none

== Info
TLSv1.2 (OUT), TLS header, Certificate Status (22):

== Info
TLSv1.2 (OUT), TLS handshake, Client hello (1):

== Info
TLSv1.2 (IN), TLS handshake, Server hello (2):

== Info
TLSv1.2 (IN), TLS handshake, Certificate (11):

== Info
TLSv1.2 (OUT), TLS alert, Server hello (2):

== Info
SSL certificate problem: certificate has expired

== Info
Closing connection 0

== Info
TLSv1.2 (OUT), TLS alert, Client hello (1):

 

Is the issue with the curl-ca-bundle.crt in the Service-folder or am I misunderstanding something?

If it is the curl-ca-bundle.crt, is there any other solution except updating to a newer version (and presumably) getting an updated bundle certificate?

 

RE: Issue trusting new Lets Encrypt-certificates

Hi Sampo,

It is possible for you to download a more current version of curl-ca-bundle.crt from this site, this is updated in latest SuperOffice version. 

Note!

  • PEM file needs to be renamed to curl-ca-bundle.crt
  • If you manually update this file make sure it is overwritten when upgrading at a later point.

Sorry for the inconvenience.

Av: Michel Krohn-Dale 13. okt 2021

RE: Issue trusting new Lets Encrypt-certificates

Michel, you mention this is fixed in the latest SuperOffice version? What version would that be? 9.2 R12 shows the same issue.

Av: David Hollegien 13. okt 2021

RE: Issue trusting new Lets Encrypt-certificates

Hi, 

Sorry for being unclear it about version, this is fixed in latest Online release. 

Av: Michel Krohn-Dale 13. okt 2021

RE: Issue trusting new Lets Encrypt-certificates

Thanks for the quick response Michael!

I've confirmed everything works fine with the new ca-bundle, so it was easier to fix than I thought.

We just need to remember to replace it in new installations!

Av: Sampo Kristoffersson 13. okt 2021