[sylpheed:37024] Letsencrypt certificates issue

[Walter Alejandro Iglesias]

Hello Sylpheed users,

I sent the messages below to Hiroyuki, he didn't answered, so I thought a
heads up here could be useful to someone.  If it happens you access a smtp
pop or imap server that uses letsencrypt certificates from a win-32
version of Sylpheed you surely ran into this problem from September 30
onwards.

Take in mind that at some point I'll remove the certs.crt file I share in
the last link below (in my server), anyways, as it is explained in the
messages below you just have to remove the following chain from the
certs.crt file used by Sylpheed:

$ cat /etc/ssl/certs/DST_Root_CA_X3.pem
-----BEGIN CERTIFICATE-----
MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTAwMDkzMDIxMTIxOVoXDTIxMDkzMDE0MDExNVow
PzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQD
Ew5EU1QgUm9vdCBDQSBYMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
AN+v6ZdQCINXtMxiZfaQguzH0yxrMMpb7NnDfcdAwRgUi+DoM3ZJKuM/IUmTrE4O
rz5Iy2Xu/NMhD2XSKtkyj4zl93ewEnu1lcCJo6m67XMuegwGMoOifooUMM0RoOEq
OLl5CjH9UL2AZd+3UWODyOKIYepLYYHsUmu5ouJLGiifSKOeDNoJjj4XLh7dIN9b
xiqKqy69cK3FCxolkHRyxXtqqzTWMIn/5WgTe1QLyNau7Fqckh49ZLOMxt+/yUFw
7BZy1SbsOFU5Q9D8/RhcQPGX69Wam40dutolucbY38EVAjqr2m7xPi71XAicPNaD
aeQQmxkqtilX4+U9m5/wAl0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNV
HQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMSnsaR7LHH62+FLkHX/xBVghYkQMA0GCSqG
SIb3DQEBBQUAA4IBAQCjGiybFwBcqR7uKGY3Or+Dxz9LwwmglSBd49lZRNI+DT69
ikugdB/OEIKcdBodfpga3csTS7MgROSR6cz8faXbauX+5v3gTt23ADq1cEmv8uXr
AvHRAosZy5Q6XkjEGB5YGV8eAlrwDPGxrancWYaLbumR9YbK+rlmM6pZW87ipxZz
R8srzJmwN0jP41ZL9c8PDHIyh8bwRLtTcm1D9SZImlJnt1ir/md2cXjbDaJWFBM5
JDGFoqgCWjBH4d1QB7wCCZAA62RjYJsWvIjJEubSfZGL+T0yjWW06XyxV3bqxbYo
Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ
-----END CERTIFICATE-----


----- Forwarded message from Walter Alejandro Iglesias <wai at roquesor.com> -----

Date: Fri, 1 Oct 2021 10:07:44 +0200
From: Walter Alejandro Iglesias <wai at roquesor.com>
To: Hiroyuki Yamamoto <hiro-y at kcn.ne.jp>
User-Agent: Mutt/1.10.1 (2018-07-13)
Subject: I found a solution

Hi again,

On Thu, Sep 30, 2021 at 10:15:03PM +0200, Walter Alejandro Iglesias wrote:
> Hello Hiroyuki,
> 
> In case you still maintain Sylpheed.  About this issue:
> 
>  https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/
> 
> I use Letsencrypt certs with sendmail and dovecot in my home server, and I
> make my wife use Sylpheed (the last decent GUIed MUA out there!) in her
> Windows 10 desktop.  Unfortunately, after working without problems for
> years, the last September 30, Sylpheed (only under Windows) started to
> popping out a message on each SSL connection to the server complaining
> about Letsencrypt certs are outdated (they're not).
> 
> I've tried copying the last ca-certificates.crt that comes with Debian
> (which includes the ISRG_Root_X1 cert mentioned in the article above) to
> the Windows ../Sylpheed/etc/ssl/certs folder, but that didn't make the
> trick.  Is there some way to solve this issue?

I found this article:

  https://blog.devgenius.io/rhel-centos-7-fix-for-lets-encrypt-change-8af2de587fe4?gi=241a8c4c15da

Based on what's explained there I *guess* the Win version of Sylpheed is
currently using outdated openssl libraries.  So, I tried the same CentOS
workaround, I removed the "DST Root CA X3" chain from Sylpheed certs.crt,
that *solved* the Letsencrypt certs problem.  Here's the file:

  https://en.roquesor.com/Downloads/certs.crt

(Latest ca-certificates.crt in my Debian system with the DST Root CA X3
chain removed.)


Greetings,


	Walter



----- End forwarded message -----