Certificate Expired Error

[davidstx]

I updated the LetsEncrypt certificates on my server, now validate certificate no longer works and I get a certificate expired error

[fribse]

MQTT Explorer: 0.3.5 Same here. I checked the mosquitto server here with: openssl s_client -connect <realurl>:8883 2>/dev/null | openssl x509 -noout -dates And that says the certificate is valid. Also MQTT Box agrees :-)

[hallard]

Nice to see I'm not alone, spend lot of time on my config thinking of an issue on docker instance with certificate until I see all is fine except on MQTT Explorer Side. Not sure what changed and why now it does not work either.

openssl s_client -servername broker.mydomain.com -connect broker.mydomain.com:8883 2>/dev/null | openssl x509 -noout -dates
notBefore=Aug 15 17:14:58 2021 GMT
notAfter=Nov 13 17:14:56 2021 GMT

[fribse]

Mine shows almost the same dates: notBefore=Aug 18 00:31:25 2021 GMT notAfter=Nov 16 00:31:23 2021 GMT

[fribse]

Just saw this: https://github.com/thomasnordquist/MQTT-Explorer/issues/593 I guess that's why...

[fribse]

Well, no, my certificate chain is going to the ISRG root cert, so that's not the case for me :-(

[hallard]

Same thing here I used my broker certificate and quickly binded it to https (same name of course) with nginx and all is good from browser view.

My guess is how the app handle the certificate on client computer.

[DavidPearce]

Same issue here. I suspect that the MQTT Explorer client uses an internal cert store, rather than Windows wide certs. We had similar issues with a piece of hardware that we make, and in this case, because we also had DST Root CA X3 which had expired, this had to be removed. If the Client does use some internal cert handling, updating from here should fix it: https://curl.se/ca/cacert.pem

[grillp]

Seems there is a workaround as this is a problem in the electron library that MQTT Explorer uses.

The workaround is to create the certificate again, but tying it to a specific certificate chain using the --preferred-chain "ISRG Root X1" option on certbot (https://github.com/electron/electron/issues/31212#issuecomment-931486784)

e.g. sudo certbot certonly --nginx -d <domain> --preferred-chain "ISRG Root X1"

I tried that and it solved the problem for me.

[mrkeuz]

Same issue. MQTT Explorer: 0.3.5 (snap version) Ubuntu 20.04.3

Just want upvote.

[konstantin-teplitzky]

the same issue trying to check 0.4.0-beta1 (and is the same) Linux AppImage version

[urbanze]

Same problem here!

[greetclock]

That might be relevant for the problem that we have. I use 0.3.5

Update September 30, 2021 As planned, the DST Root CA X3 cross-sign has expired, and we’re now using our own ISRG Root X1 for trust on almost all devices. For more details about the plan, keep reading! We have also updated our Production Chain Changes thread on our community forum - our team and community are here and ready to help with any questions you may have about this expiration.

https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/

[jceloria]

This quick workaround worked for me: https://github.com/electron/electron/issues/31212#issuecomment-931546033

[amitrohatgi]

@jceloria how did you apply the workaround?

[johnceloria]

I read and comprehended the content in provided link and then took the suggested action? I'm not sure what you're asking me to provide to you.

[amitrohatgi]

Thanks - the content suggests a change to the certificate on the server, which mine already points to ISGRoot. So I was curious if there was something else you did. The problem seems to be with MQTT Explorer, since other programs such as MQTTx don't have an issue connecting via SSL to a server issued cert. Anyway, thanks for your response. On Monday, February 7, 2022, 05:06:23 PM PST, John Celoria @.***> wrote:

I read and comprehended the content in provided link and then took the suggested action? I'm not sure what you're asking me to provide to you.

— Reply to this email directly, view it on GitHub, or unsubscribe. Triage notifications on the go with GitHub Mobile for iOS or Android. You are receiving this because you commented.Message ID: @.***>

[johnceloria]

Right, its a workaround and not a fix.

[marinofra]

You can download the root certificate from here and add it your connection options via:

1. Advanced
2. Certificates
3. Server Certificate (CA)

Don't forget to save the configuration after testing if it works correctly.

Until the application is updated to a version of Electron where this was patched or the CA gets baked into the code with an hacky workaround, this the only way to fix the problem.

[DavidPearce]

Thanks marinofra. This worked for me, I can now turn cert validation on again and successfully connect to the affected servers.

[johny-mnemonic]

@thomasnordquist wouldn't this issue deserve at least a bump of beta version with new electron to fix the cert issue?

[frosty-geek]

+1

[PhiRie]

Still facing the same issue with version 0.4.0-beta1. Is there any fix planned to use the certificate store of the underlying OS?

[ilgrank]

Just in case someone is expecting help from the Dev: he's not connecting since very long, and as far as we can tell the project is on hold at best.

[PhiRie]

Thx @ilgrank for the info. Sad, because I liked the tool but then I will give MQTTX a try.

[bj00rn]

Electron is upgraded to 29 now, hopefully that will fix it. Im moving slowly to try to break things. I'll try to get a new beta built