Peer Certificate Expired

[Jill McQuown]

It's 2016. This morning 3/10/2016 I suddenly started getting this error
when trying to use eternal-september to access my usual newsgroups. (FYI,
I'm using the latest version of Thunderbird as my email client so I access
newgroups and eternal-september via that gateway.)

I've never encountered this peer certificate error before.

Looking up the error online, it seems to be reported every few years. You
mentioned in one reply you forgot to upload the renewed certificate.

How about you just upload the current certificate rather than send me on
the hunt for another newsgroup reader? I and others would likely much
appreciate it.

Jill

[RVG]

Hi,
I've reinstalled the Cacert certificates and it doesn't fix it. SSL is
still broken on TB - again. :/

--
Media vita in morte sumus.

http://jamen.do/l/154722
http://bluedusk.blogspot.fr/
http://soundcloud.com/rvgronoff
http://www.toutelapoesie.com/salons/user/18908-guillaume-daquile/

[Mike Easter]

Jill McQuown wrote:
> How about you just upload the current certificate rather than send me on
> the hunt for another newsgroup reader? I and others would likely much
> appreciate it.

I don't normally use SSL for e-s, but if I contact the server with openssl:

openssl s_client -connect news.eternal-september.org:563

... I get (among other info):

Certificate chain
0 s:/CN=news.eternal-september.org
i:/O=Root CA/OU=http://www.cacert.org/CN=CA Cert Signing
Authority/emailAddress=sup...@cacert.org
1 s:/O=Root CA/OU=http://www.cacert.org/CN=CA Cert Signing
Authority/emailAddress=sup...@cacert.org
i:/O=Root CA/OU=http://www.cacert.org/CN=CA Cert Signing
Authority/emailAddress=sup...@cacert.org
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIGLDCCBBSgAwIBAgIDESQBMA0GCSqGSIb3DQEBDQUAMHkxEDAOBgNVBAoTB1Jv
b3QgQ0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEiMCAGA1UEAxMZ
Q0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJARYSc3VwcG9y
dEBjYWNlcnQub3JnMB4XDTE1MDkxMjE0MjYwOFoXDTE2MDMxMDE0MjYwOFowJTEj
MCEGA1UEAxMabmV3cy5ldGVybmFsLXNlcHRlbWJlci5vcmcwggIgMA0GCSqGSIb3
DQEBAQUAA4ICDQAwggIIAoIB/yjsWrb5ftbIGzSCTRyYRyH+CcwR2FkVXaK331KM
8bULtWrbOGj8Ig5iMSP1+y7GQxX5WPErSduJI2fnp//TElb0FlmqShkNesSc3os1
Jng+aSbpYmnHhR0QHLt+wB9PG1WslD2fsyCHQnkAMNF7wtDyZ3N5YJveQHd9OjR1
LC4GwlHNWaRh2b1IEY/glO5+xXnrXMJLYLWv6Qj5rWpPNb/pn2hQT06sCdOLd/zP
MND0/G7cg4KSasRCFEMl8sMO4/013ZelBoBYQRkJs7LQFKfk4I3Xv97BZu0w/VNu
yQUShJDzaa9+JWM56eLP52rkK4uic++z3kF9ehhE5UrEMFDPusBcyJ+GehSvJXx/
YUq8QejYvKL+7K+nAvQDioUjc3GfvW3CoFbuH4vTK+4H2N9BAsUi3NbSmCxAVYuy
FNJgapAvPrJrgsQshHWJcHdcDbIFBmTqsemK/9Fs2CPFPGr0ckmhu+zDkUBWGqoK
JTW1nKU+Szf5+NVgNf9GxVv3HoLtRibAAH1eRVGursZc5Sy9p9pRuFVEwBkJUpC6
P+2u8b768VJsruQOwccWy4+QH0Mq/xxVKP5b4Fq3tP0CSBhsJD88QdgptCgHArKw
axJ8DlcOwY7BhcCEMpjN4lArZZMERWHCYEhIvdHMVCXZD8aLnoio4YhdFGdEpvgN
/sUCAwEAAaOCAREwggENMAwGA1UdEwEB/wQCMAAwDgYDVR0PAQH/BAQDAgOoMDQG
A1UdJQQtMCsGCCsGAQUFBwMCBggrBgEFBQcDAQYJYIZIAYb4QgQBBgorBgEEAYI3
CgMDMDMGCCsGAQUFBwEBBCcwJTAjBggrBgEFBQcwAYYXaHR0cDovL29jc3AuY2Fj
ZXJ0Lm9yZy8wMQYDVR0fBCowKDAmoCSgIoYgaHR0cDovL2NybC5jYWNlcnQub3Jn
L3Jldm9rZS5jcmwwTwYDVR0RBEgwRoIabmV3cy5ldGVybmFsLXNlcHRlbWJlci5v
cmegKAYIKwYBBQUHCAWgHAwabmV3cy5ldGVybmFsLXNlcHRlbWJlci5vcmcwDQYJ
KoZIhvcNAQENBQADggIBAIp4vv3U/aElFjNrqtuQJTJ35vojmN8Ia2Vu2qXLI2vN
5srU5+CFDKjKkk6iHtI9iDy//eNZCTRQ1aHbhdBpEYOyL67urBvqBuz965R9W7ta
hj3GH5gdSpyus193olaYNdt1RoB+Z0yGunG00Hlxn5R9MJ+PQB47CeCYe+bXIACb
/6g2h4mbdRS2CZr3mxJRmPCqx3y8G0G+ACE40+fl3zFOHuqINhdotWn8xjnMNC84
zK2Uexu9owX0jcQtk/KzrxRFiOVqm7FeGoJAIp+lwIgeAy+WfGwqddirQDd1YFYL
AzzUasHogUEltRauUVrmFm9xV7zncauhozV4n2qNdwnFe25vY2wNpPDVB/Kg0IWy
rHpbCnlUOnl5M0Du+JZBfqJ8koid8czihs4b1GVjfTKUtkOTctoCRJFji3fY/O6q
jlVhARiAYkVv/HerVUY6915/OSq9dJec/daz8rmAao9MXafA66rDUYCJYApkaXSq
hpiyvlA9nOCMv49WPnKFNFZjvJA3a4/z2k58HEctQY7vO7JpxqkEjSZnzBk2uM3Y
R5ZK33noyl+hDmS4xjCmqiKpleQoiGVbSkaHzBBz/tfmWpq9cJXxIhbGZLRT3VQ3
gANat6Zi+sxWIyMVM2grMYKUxvduEsKPjbnIKyZduQRGXZREb+KYGK+zgCjrJaBw
-----END CERTIFICATE-----
subject=/CN=news.eternal-september.org
issuer=/O=Root CA/OU=http://www.cacert.org/CN=CA Cert Signing
Authority/emailAddress=sup...@cacert.org
---
No client certificate CA names sent
---
SSL handshake has read 4358 bytes and written 421 bytes
---


--
Mike Easter

[Bobbie Sellers]

On 03/10/2016 10:17 AM, RVG wrote:
> Le 10/03/2016 17:26, Jill McQuown a écrit :
>> It's 2016. This morning 3/10/2016 I suddenly started getting this error
>> when trying to use eternal-september to access my usual newsgroups. (FYI,
>> I'm using the latest version of Thunderbird as my email client so I access
>> newgroups and eternal-september via that gateway.)
>>
>> I've never encountered this peer certificate error before.
>>
>> Looking up the error online, it seems to be reported every few years. You
>> mentioned in one reply you forgot to upload the renewed certificate.
>>
>> How about you just upload the current certificate rather than send me on
>> the hunt for another newsgroup reader? I and others would likely much
>> appreciate it.
>>
>> Jill
>>
>
> Hi,
> I've reinstalled the Cacert certificates and it doesn't fix it. SSL is
> still broken on TB - again. :/
>

I am using Thunderbird version 38.6.0 and having no certificate
problem at this time.

Has the user kept up the updates for their distribution?

bliss

[Mike Coddington]

On 2016-03-10, Mike Easter <Mi...@ster.invalid> wrote:
> Jill McQuown wrote:
>> How about you just upload the current certificate rather than send me on
>> the hunt for another newsgroup reader? I and others would likely much
>> appreciate it.
>
> I don't normally use SSL for e-s, but if I contact the server with openssl:
>
> openssl s_client -connect news.eternal-september.org:563
>
> ... I get (among other info):
>
> Certificate chain
> 0 s:/CN=news.eternal-september.org
> i:/O=Root CA/OU=http://www.cacert.org/CN=CA Cert Signing

Following up on that, if I take that certificate and decode it with
openssl, it expires today.

$ openssl x509 -in cert.crt -text -noout

...
Validity
Not Before: Sep 12 14:26:08 2015 GMT
Not After : Mar 10 14:26:08 2016 GMT

So, it looks like the certificate on the server needs to be replaced.

--
There is hardly a thing in the world that some man can not make a little
worse and sell a little cheaper.

[Mike Easter]

Mike Coddington wrote:
> if I take that certificate and decode it with
> openssl, it expires today.

... expireD, past tense ...

> $ openssl x509 -in cert.crt -text -noout

Ah so. Tnx.

> Not After : Mar 10 14:26:08 2016 GMT

It is currently about 21:00 GMT/UTC.

> So, it looks like the certificate on the server needs to be replaced.

Yes. (And/But) Tb gives no info about there being a server cert problem
for me when I setup I system to SSL with Tb with imported cacert/s. It
just fails to access, not even getting as far as any nntp logs to help.


--
Mike Easter

[Bobbie Sellers]

On 03/10/2016 01:02 PM, Mike Easter wrote:
> Mike Coddington wrote:
>> if I take that certificate and decode it with
>> openssl, it expires today.
>

> .... expireD, past tense ...

>
>> $ openssl x509 -in cert.crt -text -noout
>
> Ah so. Tnx.
>
>> Not After : Mar 10 14:26:08 2016 GMT
>
> It is currently about 21:00 GMT/UTC.
>
>> So, it looks like the certificate on the server needs to be replaced.
>
> Yes. (And/But) Tb gives no info about there being a server cert problem
> for me when I setup I system to SSL with Tb with imported cacert/s. It
> just fails to access, not even getting as far as any nntp logs to help.
>
>

I won't say I don't have this problem until later today
but my Usenet connection is still functioning with eternal-september.

bliss

[Mike Easter]

Bobbie Sellers wrote:

> Mike Easter wrote:

>> Yes. (And/But) Tb gives no info about there being a server cert
>> problem for me when I setup I system to SSL with Tb with imported
>> cacert/s. It just fails to access, not even getting as far as any
>> nntp logs to help.
>
> I won't say I don't have this problem until later today
> but my Usenet connection is still functioning with eternal-september.

To clarify; I normally do e-s port 119 no security. That is working fine.

Whenever I want to 'test' a server's 'alternate' SSL connectivity, I
CANNOT test it with the same system as has the non-secure with Tb
because Tb will not allow to set up two different server accounts with
the same named server such as news.eternal-september.org (one secure and
one not)-- nor particularly such as news.mixmin.net which only has one
name available. e-s has another nntps.

So, I boot a live linux distro and configure its Tb for the secured
server on port 563. That didn't work for me even after I dl/ed the 2
cacerts and imported them into the test system.

In this case, I could have also tried e-s server named reader443 on port
443 SSL, but I didn't.


--
Mike Easter

[Adam H. Kerman]

Mike Easter <Mi...@ster.invalid> wrote:
>Bobbie Sellers wrote:
>>Mike Easter wrote:

>>>Yes. (And/But) Tb gives no info about there being a server cert
>>>problem for me when I setup I system to SSL with Tb with imported
>>>cacert/s. It just fails to access, not even getting as far as any
>>>nntp logs to help.

>> I won't say I don't have this problem until later today
>>but my Usenet connection is still functioning with eternal-september.

>To clarify; I normally do e-s port 119 no security. That is working fine.

>Whenever I want to 'test' a server's 'alternate' SSL connectivity, I
>CANNOT test it with the same system as has the non-secure with Tb
>because Tb will not allow to set up two different server accounts with
>the same named server such as news.eternal-september.org (one secure and
>one not)-- nor particularly such as news.mixmin.net which only has one

>name available. e-s has another nntps. . . .

Dear ghod. That Tbird has such a large user bases continues to
mystify me, when it doesn't do certain things I take for granted on
trn 4, like logging in via different ports using different protocols
on the same server.

[Mike Easter]

Adam H. Kerman wrote:
> Mike Easter

>> Whenever I want to 'test' a server's 'alternate' SSL connectivity,
>> I CANNOT test it with the same system as has the non-secure with
>> Tb because Tb will not allow to set up two different server
>> accounts with the same named server such as
>> news.eternal-september.org (one secure and one not)-- nor
>> particularly such as news.mixmin.net which only has one name
>> available. e-s has another nntps. . . .

> Dear ghod. That Tbird has such a large user bases continues to
> mystify me, when it doesn't do certain things I take for granted on
> trn 4, like logging in via different ports using different protocols
> on the same server.

I can 'flip' the same account from secured to not; I can NOT have two
different accounts with the same server name with Tb.

One reason this feature/condition seems silly is that the configuration
includes giving each account a 'chosen' name separate from the server's
name. If the Tb developers had allowed the chosen name to control its
functional identity, then one could have multiple different (chosen
name) accounts using the same server (name).



--
Mike Easter

[RVG]

Uh, it does. I use ES through news.eternal-september.org that can open
from either port 119 (nntp) or 563 (nntps).

[Mike Easter]

RVG wrote:
> Mike Easter a écrit :

>> I can 'flip' the same account from secured to not; I can NOT have two
>> different accounts with the same server name with Tb.
>>
>> One reason this feature/condition seems silly is that the
>> configuration includes giving each account a 'chosen' name separate
>> from the server's name. If the Tb developers had allowed the chosen
>> name to control its functional identity, then one could have
>> multiple different (chosen name) accounts using the same server
>> (name).
>
> Uh, it does. I use ES through news.eternal-september.org that can open
> from either port 119 (nntp) or 563 (nntps).
>

That is what I said in the first paragraph above.

However, I cannot have one Tb account whose name is e-sSSL and another
account whose account name is e-s which both have the same server name
news.eternal-september.org and which use ports 563 and 119 respectively.

That is what I said in the second paragraph above.

--
Mike Easter

[Mike Easter]

Mike Coddington wrote:
> $ openssl x509 -in cert.crt -text -noout
>
> ...
> Validity
> Not Before: Sep 12 14:26:08 2015 GMT
> Not After : Mar 10 14:26:08 2016 GMT
>
> So, it looks like the certificate on the server needs to be replaced.

So, it is fixed now.

Validity
Not Before: Mar 11 03:35:20 2016 GMT
Not After : Sep 7 03:35:20 2016 GMT


--
Mike Easter

[Lewis]

In message <nbukc4$c3e$1...@dont-email.me>

Huh. Less than 6 months?

--
'My strength is like the strength of ten because my heart is pure,' said
Carrot. 'Really? Well, there's eleven of them.' --Jingo

[Mike Easter]

Lewis wrote:

> Mike Easter wrote:

>> So, it is fixed now.
>
>> Validity
>> Not Before: Mar 11 03:35:20 2016 GMT
>> Not After : Sep 7 03:35:20 2016 GMT
>
> Huh. Less than 6 months?
>

http://wiki.cacert.org/FAQ/Privileges

Level Description

Table; some are 6 mo, some 12, some 24.

--
Mike Easter

[Barry Margolin]

In article <nbursh$bn1$1...@dont-email.me>,

Looks like the 6-month certificates are actually 180 days.

--
Barry Margolin
Arlington, MA

[Mike Easter]

Barry Margolin wrote:

> Mike Easter wrote:
>> Lewis wrote:
>>> Mike Easter wrote:

>>>> Not Before: Mar 11 03:35:20 2016 GMT
>>>> Not After : Sep 7 03:35:20 2016 GMT
>>>
>>> Huh. Less than 6 months?
>>>
>> http://wiki.cacert.org/FAQ/Privileges
>>
>> Level Description
>>
>> Table; some are 6 mo, some 12, some 24.
>
> Looks like the 6-month certificates are actually 180 days.
>

Certainly that applies to the above and to the preceding

> Not Before: Sep 12 14:26:08 2015 GMT
> Not After : Mar 10 14:26:08 2016 GMT

If 'common' interval parlances are often 30, 60, 90, and 180 days (but
180 days is referred to as '6 months' [as in 6 hypothetical 30-day
intervals]), the interval concept must surely 'shift' when the interval
is referred to as 12 months or 24 months, so that it is actually a
'genuine' year or two as opposed to a 'mere' 360 or 720 days.

Also, that little 'short-change' must surely result in frequent renewal
oversights by 'some days'.

--
Mike Easter

[Barry Margolin]

In article <nbv3cu$aj2$1...@dont-email.me>,

Only if you're pretty careless. When you get the certificate it says
what the expiration date, and decent certificate providers send out
reminder emails well in advance.

I wonder what Ray's excuse was...

[griff...@hotmail.com]

I'm getting this right now whenever I click on a newsgroup post.

[Barry Margolin]

In article <8bf7a802-572e-4b47...@googlegroups.com>,

The certificate expired yesterday.

[Fritz]

Am 14.02.18 um 17:59 schrieb Barry Margolin:

>> I'm getting this right now whenever I click on a newsgroup post.
> The certificate expired yesterday.

Yes, I download this certificate in TB certificate store and had seen
this too!

--
Fritz
Das 'bunte' Treiben in manchen Gruppen (passende FUP2 nicht ausgeschlossen):
'Alternative Wahrheiten' 'Alternative Fakten' 'Postfaktische Wahrheiten'
'Fake News' 'Bunte Sprache'