SSL Problems
195 views
Skip to first unread message
Moritz Bastian
Oct 4, 2021, 10:22:18 AM10/4/21
to Ant Media Server
Hi,
I have problems renewing my cert. It always says "R3 certificate has expired".
Ubuntu 18.04.5 LTS
Certbot Version: 0.27.0
Do I somehow have to delete R3 as ca-cert?
All the best,
Moritz
Mohit Dubey
Oct 4, 2021, 11:11:58 AM10/4/21
to Ant Media Server
Hello Moritz,
I think there were some issues recently with Lets encrypt ssl certifications.
Can you please generate a new one and enable SSL according to https://github.com/ant-media/Ant-Media-Server/wiki/SSL-Setup
For self signed certificates you can refer https://github.com/ant-media/Ant-Media-Server/wiki/Frequently-Asked-Questions#how-to-use-self-signed-certificate-on-ant-media-server
--
Best Regards,
Mohit Dubey
Joseph Brundige
Oct 4, 2021, 11:41:47 AM10/4/21
to Mohit Dubey, Ant Media Server
We had this same issue last week and we were forced to purchase a certificate and install it. The letsencrypt cert would not work for users on Mac computers.
--
You received this message because you are subscribed to the Google Groups "Ant Media Server" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ant-media-serv...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ant-media-server/77975e1f-c88a-44f3-8cb7-56c6c51d9716n%40googlegroups.com.
Moritz Bastian
Oct 4, 2021, 1:07:02 PM10/4/21
to Ant Media Server
Somehow the Website on this Server is working - Port 5443 has problems with an expired certificate - BUT Certificate is the same.
Ben Bowler
Oct 5, 2021, 12:54:28 PM10/5/21
to Ant Media Server
It's an issue with the R3 root cert. Any options to fix?
Message has been deleted
Murat Eminoglu
Oct 5, 2021, 3:29:24 PM10/5/21
to Ant Media Server
Hi everyone,
Let me explain this.
Let's Encrypt was using "DST ROOT CA X3" for certificates and it has been expired on 30 of September 2021. Because of this, since there are not any new CAs in the clients, certificate errors occurred, and Let's Encrypt now uses "ISGR ROOT X1" and "ISRG ROOT X2" as new Root CAs.
To solve the certificate errors, you should import the following certificates (ISGR ROOT X1, ISRG ROOT X2, ) to your computers or other devices.
You may also get a certificate error because the ones in the list below use "DST ROOT CA X3".
Windows >= XP SP3 (assuming Automatic Root Certificate Update isn’t manually disabled)
macOS >= 10.12.1
iOS >= 10 (iOS 9 does not include it)
iPhone 5 and above can upgrade to iOS 10 and can thus trust ISRG Root X1
Android >= 7.1.1 (but Android >= 2.3.6 will work by default due to our special cross-sign)
Mozilla Firefox >= 50.0
Ubuntu >= xenial / 16.04 (with updates applied)
Debian >= jessie / 8 (with updates applied)
Java 8 >= 8u141
Java 7 >= 7u151
NSS >= 3.26
I hope it's clear now.
Regards.
5 Ekim 2021 Salı tarihinde saat 19:54:28 UTC+3 itibarıyla Ben Bowler şunları yazdı:
Joseph Brundige
Oct 5, 2021, 3:37:29 PM10/5/21
to Murat Eminoglu, Ant Media Server
Yes, but this is not a good solution because you’d have to tell all your end users about it and most will have no idea how to import those certificates. A better solution is to buy a certificate and replace the let’s encrypt certificate.
To view this discussion on the web visit https://groups.google.com/d/msgid/ant-media-server/346f9d01-a545-4abf-88c1-8a13644c15b1n%40googlegroups.com.
Murat Eminoglu
Oct 5, 2021, 6:06:47 PM10/5/21
to Ant Media Server
You could face the same issue when you get a Custom certificate if the CA duration expires or it renews because of an issue. Keeping the client OS side up to date is a good solution.
https://letsencrypt.org/docs/certificate-compatibility/
Regards.
https://letsencrypt.org/docs/certificate-compatibility/
Regards.
5 Ekim 2021 Salı tarihinde saat 22:37:29 UTC+3 itibarıyla j...@joebrundige.com şunları yazdı:
Joseph Brundige
Oct 5, 2021, 6:14:19 PM10/5/21
to Murat Eminoglu, Ant Media Server
I am very confused as to why you think asking end users to perform a complicated task on their system is a better solution than swapping out the SSL certificate? Even brand new Macbook Pros with updated software have this issue.
We purchased a wildcard from Setigo and it works great and now all errors are gone. This problem was a nightmare for us last week and cost us a lot of money. I wouldn't recommend anyone stay with Letsencrypt cert. Just my opinion.
Joe
To view this discussion on the web visit https://groups.google.com/d/msgid/ant-media-server/e5926afd-8f55-4303-bb54-827cefb0a00dn%40googlegroups.com.
Gilbert Arias
Oct 5, 2021, 8:34:28 PM10/5/21
to Joseph Brundige, Murat Eminoglu, Ant Media Server
this problem was advised since 2 weeks before it happens its your fault if it catch you out of base, i just simply updated my server same day and no issues comes from lets encrypt side
To view this discussion on the web visit https://groups.google.com/d/msgid/ant-media-server/CA%2B8s18-XBbGcRWoSWqnwo9dsZpz6owEFjhoaypxP0%2BoLnKgOLg%40mail.gmail.com.
Joseph Brundige
Oct 5, 2021, 8:46:33 PM10/5/21
to Gilbert Arias, Ant Media Server, Murat Eminoglu
Thanks Gilbert. How did you update your server?
Ben Bowler
Oct 20, 2021, 3:07:15 AM10/20/21
to Ant Media Server
Do you mean update to the latest version of AMS?
Reply all
Reply to author
Forward
0 new messages