search for: addtrust

...cates-2018.2.22-65.1.el6.noarch has a big problem ... many certificates were removed - my proxy uses this as source and isn't able to validate correct any more - most sites show this: /[No Error] (TLS code: X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN) /Self-signed SSL Certificate in chain: /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root Self-signed SSL Certificate in chain: /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA and many other Root certificates are missing ... Greetings, Walter

...6.12.90, *TLS > handshaking: SSL_accept() syscall failed: Success*, > session=<B9OokqCUD+UYNU8K> Unless you meanwhile managed to solve your issue I see none from my side. Should be client side else. # openssl s_client -connect 3.222.54.62:993 CONNECTED(00000003) depth=3 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root verify return:1 depth=2 C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority verify return:1 depth=1 C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited...

I know this is something which should have a simple fix but I'm failing to see it somehow. I'm moving samba service between a couple of FreeBSD systems (9.3 to 10.2), and I'm stuck on getting samba on the new machine to connect to our openldap server over ssl - frustrating since I've been running samba+ldap for 15 years or so; feel sure I'm missing something basic!

In setting up my new mail server, I am getting the following in the logs: Oct 11 07:10:59 kumo dovecot[5704]: imap-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=24.53.79.10, lip=172.26.12.90, *TLS handshaking: SSL_accept() syscall failed: Success*, session=<B9OokqCUD+UYNU8K> I have tried various ssl_protocols entries, but for now have defaulted back to

...ter/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority 2 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root --- Server certificate -----BEGIN CERTIFICATE----- MIIFVjCCBD6gAwIBAgIQWCEHgEVoKToQkXoG3+g1cTANBgkqhkiG9w0BAQsFADCB kDELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4G fs2e2XCjkEVu/YR7exKkmTf9wkhZ+tD0+S8= -----E...

...has a big problem ... > many certificates were removed - my proxy uses this as source and isn't > able to validate correct any more - > most sites show this: > > /[No Error] (TLS code: X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN) > > /Self-signed SSL Certificate in chain: /C=SE/O=AddTrust AB/OU=AddTrust > External TTP Network/CN=AddTrust External CA Root > > Self-signed SSL Certificate in chain: /C=US/O=DigiCert > Inc/OU=www.digicert.com/CN=DigiCert Global Root CA > > and many other Root certificates are missing ... > Not sure why they were removed but in the p...

...gt; many certificates were removed - my proxy uses this as source and isn't >> able to validate correct any more - >> most sites show this: >> >> /[No Error] (TLS code: X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN) >> >> /Self-signed SSL Certificate in chain: /C=SE/O=AddTrust AB/OU=AddTrust >> External TTP Network/CN=AddTrust External CA Root >> >> Self-signed SSL Certificate in chain: /C=US/O=DigiCert >> Inc/OU=www.digicert.com/CN=DigiCert Global Root CA >> >> and many other Root certificates are missing ... >> > > Not su...

...\030\027\021\026\f\000\025\033\020\000\000\022\000\r" #1 0x00007f1a586d8c50 in ___vsnprintf_chk ( s=0x1fe0e38 "proxy: Received invalid SSL certificate from \314-A\235q\210\021\b\354\062Lz?)\367.\002 \031\233 \362w?\224\356K7\343\224 \002\037\364!+\266\371\277O`K\021\b\315:6: k/CN=AddTrust External CA Root", maxlen=<value optimized out>, flags=1, slen=<value optimized out>, format=0x7f1a58c90ad8 "proxy: Received invalid SSL certificate from %s:%u: %s", args=0x7ffd537d0a80) at vsnprintf_chk.c:65 sf = {f = {_sbf = {_f = {_flags = -72515583,...

...e37f501a899deb3bf7ea8adbbd3aef1c412da Pin SHA256: grX4Ta9HpZx6tSHkmCrvpApTQGo67CYDnvprLg5yRME= Valid untilSat, 30 May 2020 10:48:38 UTC (expired 8 hours and 51 minutes ago) EXPIRED AFAICT this is the reason: https://calnetweb.berkeley.edu/calnet-technologists/incommon-sectigo-certificate-service/addtrust-external-root-expiration-may-2020 FYI, Gabor

...----BEGIN CERTIFICATE----- [base64 cert] -----END CERTIFICATE----- What you need to do is replace the final certificate with this one (just copy-paste the base64 cert): https://crt.sh/?d=1720081 .Then restart the server. See here for details: https://support.sectigo.com/articles/Knowledge/Sectigo-AddTrust-External-CA-Root-Expiring-May-30-2020 . This site talks about "For business processes that depend on very old systems...." but the reality is that this affects everything that uses openssl for https, including curl, svn, etc.

...> > > Valid untilSat, 30 May 2020 10:48:38 UTC (expired 8 hours and 51 > > > > minutes ago) EXPIRED > > > > > > > > AFAICT this is the reason: > > > > https://calnetweb.berkeley.edu/calnet-technologists/incommon-sectigo-certificate-service/addtrust-external-root-expiration-may-2020 > > > > > > > > FYI, > > > > Gabor > > > > > > > > ______________________________________________ > > > > R-devel at r-project.org mailing list > > > > https://stat.ethz.ch/mailman/...

...grX4Ta9HpZx6tSHkmCrvpApTQGo67CYDnvprLg5yRME= > > Valid untilSat, 30 May 2020 10:48:38 UTC (expired 8 hours and 51 > > minutes ago) EXPIRED > > > > AFAICT this is the reason: > > https://calnetweb.berkeley.edu/calnet-technologists/incommon-sectigo-certificate-service/addtrust-external-root-expiration-may-2020 > > > > FYI, > > Gabor > > > > ______________________________________________ > > R-devel at r-project.org mailing list > > https://stat.ethz.ch/mailman/listinfo/r-devel > > -- > Peter Dalgaard, Professor, > Cen...

...t): https://crt.sh/?d=1720081 .Then > restart the server. You can also export this from Keychain Access on macOS, btw. find "COMODO RSA Certification Authority" and right click, export, PEM format. > See here for details: > https://support.sectigo.com/articles/Knowledge/Sectigo-AddTrust-External-CA-Root-Expiring-May-30-2020 > . This site talks about "For business processes that depend on very > old systems...." but the reality is that this affects everything that > uses openssl for https, including curl, svn, etc. Btw. why does this affect openssl? That root ce...

...1c412da > Pin SHA256: grX4Ta9HpZx6tSHkmCrvpApTQGo67CYDnvprLg5yRME= > Valid untilSat, 30 May 2020 10:48:38 UTC (expired 8 hours and 51 > minutes ago) EXPIRED > > AFAICT this is the reason: > https://calnetweb.berkeley.edu/calnet-technologists/incommon-sectigo-certificate-service/addtrust-external-root-expiration-may-2020 > > FYI, > Gabor > > ______________________________________________ > R-devel at r-project.org mailing list > https://stat.ethz.ch/mailman/listinfo/r-devel -- Peter Dalgaard, Professor, Center for Statistics, Copenhagen Business School Solb...

...QGo67CYDnvprLg5yRME= > > > Valid untilSat, 30 May 2020 10:48:38 UTC (expired 8 hours and 51 > > > minutes ago) EXPIRED > > > > > > AFAICT this is the reason: > > > https://calnetweb.berkeley.edu/calnet-technologists/incommon-sectigo-certificate-service/addtrust-external-root-expiration-may-2020 > > > > > > FYI, > > > Gabor > > > > > > ______________________________________________ > > > R-devel at r-project.org mailing list > > > https://stat.ethz.ch/mailman/listinfo/r-devel > > > &gt...

...gt;>> Valid untilSat, 30 May 2020 10:48:38 UTC (expired 8 hours and 51 >>>>> minutes ago) EXPIRED >>>>> >>>>> AFAICT this is the reason: >>>>> https://calnetweb.berkeley.edu/calnet-technologists/incommon-sectigo-certificate-service/addtrust-external-root-expiration-may-2020 >>>>> >>>>> FYI, >>>>> Gabor >>>>> >>>>> ______________________________________________ >>>>> R-devel at r-project.org mailing list >>>>> https://stat.ethz.ch/m...