Hi,
On Tue, 21 Nov 2017 at 11:57:10 +0100, Dennis Roczek wrote:
We just got a new wiki-certificate from Let's encrypt. Maybe they
changed something fundamental...?
The cert was last renewed 2 weeks ago, if there was a problem with the
X.509 chain I guess someone would have complained before :-P
$ openssl s_client -connect wiki.documentfoundation.org:443 -servername
wiki.documentfoundation.org </dev/null 2>/dev/null \
| openssl x509 -noout -dates
notBefore=Nov 4 02:07:05 2017 GMT
notAfter=Feb 2 02:07:05 2018 GMT
@Guilhem: do you know more about changes there?
I noticed the OSCP responsed stapled to the TLS handshake was out of
date since this morning at 03:00 UTC.
$ openssl s_client -connect wiki.documentfoundation.org:443 -servername
wiki.documentfoundation.org -status </dev/null 2>/dev/null
[…]
OCSP Response Data:
OCSP Response Status: successful (0x0)
Response Type: Basic OCSP Response
Version: 1 (0x0)
Responder Id: C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
Produced At: Nov 14 03:08:00 2017 GMT
Responses:
Certificate ID:
Hash Algorithm: sha1
Issuer Name Hash: 7EE66AE7729AB3FCF8A220646C16A12D6071085D
Issuer Key Hash: A84A6A63047DDDBAE6D139B7A64565EFF3A8ECA1
Serial Number: 03686441D74F5FFBC5CF4FDD4504FBFA9DDA
Cert Status: good
This Update: Nov 14 03:00:00 2017 GMT
Next Update: Nov 21 03:00:00 2017 GMT
[…]
Apparently nginx kept querying the OCSP responder but all requests timed
out so the stapled data wasn't refreshed. That's weird, AFAIK nginx
only caches DNS responses for the zone TTL, but we got a valid response
after reloading the server:
$ openssl s_client -connect wiki.documentfoundation.org:443 -servername
wiki.documentfoundation.org -status </dev/null 2>/dev/null
[…]
OCSP Response Data:
OCSP Response Status: successful (0x0)
Response Type: Basic OCSP Response
Version: 1 (0x0)
Responder Id: C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
Produced At: Nov 19 03:11:00 2017 GMT
Responses:
Certificate ID:
Hash Algorithm: sha1
Issuer Name Hash: 7EE66AE7729AB3FCF8A220646C16A12D6071085D
Issuer Key Hash: A84A6A63047DDDBAE6D139B7A64565EFF3A8ECA1
Serial Number: 0324F7EDB9BE813D301B509273649D7E7614
Cert Status: good
This Update: Nov 19 03:00:00 2017 GMT
Next Update: Nov 26 03:00:00 2017 GMT
[…]
I assume not all browsers were affected because some fallback to quering
the OCSP responder manually when the stapled information is out of date.
Cheers,
--
Guilhem.
--
To unsubscribe e-mail to: website+unsubscribe@global.libreoffice.org
Problems? https://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/
Posting guidelines + more: https://wiki.documentfoundation.org/Netiquette
List archive: https://listarchives.libreoffice.org/global/website/
All messages sent to this list will be publicly archived and cannot be deleted
Context
Privacy Policy |
Impressum (Legal Info) |
Copyright information: Unless otherwise specified, all text and images
on this website are licensed under the
Creative Commons Attribution-Share Alike 3.0 License.
This does not include the source code of LibreOffice, which is
licensed under the Mozilla Public License (
MPLv2).
"LibreOffice" and "The Document Foundation" are
registered trademarks of their corresponding registered owners or are
in actual use as trademarks in one or more countries. Their respective
logos and icons are also subject to international copyright laws. Use
thereof is explained in our
trademark policy.