Download link SSL certificate expired

[jarmo]

Starting from today (24.09.21) SSL certificate has been expired when trying to download GoAccess. Clicking on a download link will show that site is "dangerous".

Download link here for example https://tar.goaccess.io/goaccess-1.5.1.tar.gz

[allinurl]

Thanks for reporting this. I'm not seeing any expired certificates on my end. Do you know what was the exact message that popped up for you?

[jarmo]

I cannot reproduce it either anymore. It was the regular message where certificate is not valid and upon inspection it expired on 24.09.21.

Is it possible that this download endpoint is behind some load-balancer having multiple servers?

[allinurl]

That's a good point. It's not behind a load-balancer. However, I did see some stalled bind processes and just restarted the server. I'll keep an eye on this as someone else reported a few months back something similar that appeared to be a DNS issue. Thanks again!

[domo84]

Possibly related. I was trying to run apt-get update just now and ran into a certificate issue.

$ apt-get update
Get:1 http://security.ubuntu.com/ubuntu focal-security InRelease [114 kB]
Hit:2 http://us.archive.ubuntu.com/ubuntu focal InRelease           
Get:3 http://us.archive.ubuntu.com/ubuntu focal-updates InRelease [114 kB]               
Get:4 http://us.archive.ubuntu.com/ubuntu focal-backports InRelease [101 kB]
Ign:5 https://deb.goaccess.io focal InRelease                                    
Get:6 https://cli.github.com/packages focal InRelease [3741 B]                   
Err:7 https://deb.goaccess.io focal Release                                   
  Certificate verification failed: The certificate is NOT trusted. The certificate chain uses expired certificate.  Could not handshake: Error in the certificate verification. [IP: 67.205.130.138 443]
Reading package lists... Done                     
E: The repository 'https://deb.goaccess.io focal Release' no longer has a Release file.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.

[jarmo]

@domolicious your problem might be related with Let's Encrypt root certificate expiration.

Try if this works:

$ curl https://curl.se

If you see same issue then it is Let's Encrypt related and you need to remove expired Root CA.

[domo84]

Without having a detailed explanation: I solved the apt issue by revisiting the installation docs for Debian/Ubuntu and following the instructions. I guess it was needed as it was quite some time ago I added it to the repo.

[coreywelch]

I was experiencing this issue as well. For anyone else with this issue, it appears to be related to Let's Encrypt Root CA expiry need to remove DST Root CA X3. It expired on Sept 30, 2021 and did not get refreshed.

Here is the article I was reading and they have steps on removing it as well. https://www.claudiokuenzler.com/blog/1135/lets-encrypt-root-ca-expired-git-server-certificate-verification-failed-x3

This solved my issue.

[Habetdin]

@allinurl I believe that *.goaccess.io certificate(s) should be renewed with the --preferred-chain "ISRG Root X1" to exclude expired root from the trust chains.

[allinurl]

@Habetdin just curious, did you recently get an error?

[allinurl]

@Habetdin by the way, I just added preferred_chain = ISRG Root X1 under /etc/letsencrypt/renewal/*.goaccess.io. Thanks for the heads up!

[Habetdin]

@Habetdin just curious, did you recently get an error?

@allinurl yes, I've got same error as in this post when used apt on 7th of November. Also, expired alternative trust chain breaks connection to custom DoT servers in Android and connection to some git servers that are using similar certificates. I've fixed issues like that from server side.

Thanks for the heads up!

No problem, that's just the way to fix it without client-side actions required.

But somewhy I still see expired trust path for deb.goaccess.io while checking it at SSLLabs' Tester.

Seems like preferred_chain should be set for explicit subdomains in your case, cuz certbot treats *.goaccess.io as name of wildcard certificate but not as wildcard for subdomains like deb.goaccess.io themselves.