Let's encrypt certificate

Posted by Riverside Software on 27-Aug-2018 10:54

Hello,

I'd like to import in $DLC/certs the chain for a Let's encrypt certificate. For example, https://ci.rssw.eu

Using Chrome, I was able to export the two root entries (DST root X3 then Let's Encrypt Root) in CER format, and imported them successfully in $DLC/certs (using $DLC/bin/certutil). Then if I execute a CONNECT function to this site, I'm getting

Secure Socket Layer (SSL) failure. error code -54: certificate has expired: for 4f06f81d.0 in /opt/dlc-11.7/certs (9318)
Connection failure for host ci.rssw.eu port 443 transport HTTPS. (9407)
Application server connect failure. (5468)

Certificate is not expired for sure... For what it's worth, it's a wildcard certificate, and I'm using 11.7 (unpatched), so that *should* be supported.

Anybody knows what I'm doing wrong ?

OpenEdge Development - Forum
Posted by onnodehaan on 27-Mar-2020 23:14

Hi

I've had a similair problem last week. Using "ServerNameIndicator" fixed it for me!

https://knowledgebase.progress.com/articles/Article/Secure-Socket-Error-code-54-certificate-has-expired-even-though-certificate-appears-to-be-valid

 

All Replies

Posted by onnodehaan on 27-Mar-2020 23:14

Hi

I've had a similair problem last week. Using "ServerNameIndicator" fixed it for me!

https://knowledgebase.progress.com/articles/Article/Secure-Socket-Error-code-54-certificate-has-expired-even-though-certificate-appears-to-be-valid

 

Posted by jsandrea on 28-Mar-2020 00:11

Hi. Maybe this error is related to your current version, I'm using 11.7.5 and works fine with your url.

Posted by bronco on 28-Mar-2020 14:48

IIRC the problem usually arises when there's more than 1 secure domain is served on one server (and it has to do with server name indication). The problem is that 11.7.0 doesn't support it. The nohostverify suggestion is a bad one, because it removes essential steps in setting up secure communications.

I solved this once by setting up an instance of Apache httpd which can act as a forward proxy. Let Apache handle the TLS/SSL stuff.  

Posted by Riverside Software on 30-Mar-2020 07:26

That's a very old thread !

IIRC, I had to use ServerNameIndicator and fix a configuration issue on the server.

Posted by onnodehaan on 30-Mar-2020 09:06

Reason I reopened the thread was, because I faced the same problem and noticed that it was unanswered.

Setting ServerNameIndicator fixed it for me as well

This thread is closed