-
Notifications
You must be signed in to change notification settings - Fork 841
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
'Certificate has expired' error for Let's Encrypt certificates (DST Root CA X3 issued) #10338
Comments
+1
|
Postman v8 and v9 seems to be impacted by the recent cert expiry https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/. We are investigating this now. |
+1 also using lets encrypt and valid certs till nov 1st - acting up today. Upgraded to latest postman version and it's still not working. Disabled ssl verification for now. |
+1
|
Same :
|
+1
|
Thanks for your patience everyone. We have identified the issue and are testing out a potential fix internally. Once we have the fix verified, we'll release a patch on our v8.x and v9.x release lines. |
+1 |
+1
|
Also on:
|
The LetsEncrypt expiration is a bit confusing because the expired certificate is left in the chain for backwards compatibility purposes from what we've read on their blog. So there are two paths for the certificates, the new shorter valid path, and the longer expired path. That is to say the issue is likely not that the trust store is missing a certificate, but that postman is ignoring the valid certificate path. Update: If postman is using a version of NodeJS older than 5 years it's likely they don't have the ISRG Root X1 in the trust chain. https://github.com/nodejs/node/blame/master/src/node_root_certs.h#L2602-L2631 If someone wants to try you can extend the built in certificates via the environment variable Update 2: I've tried manually adding the CA for ISRG Root X1 from NodeJS to no avail. It's likely a conflict in the TLS resolution paths. If you want to try yourself just copy and paste the certificate I linked here into a file ending with I don't know much about Postman so maybe someone can figure out how to get more details from there or correctly configure the certificate. |
@Freyert Postman uses Electron, which has a non-standard Node + BoringSSL integration. We believe this is happening cuz boringSSL is not configured to prefer the shorter part by default. We have patched this internally and is also working on upstreaming this. |
@numaanashraf thanks for the transparency! I was a bit in the dark from the older issues on what was fixed last time. Thank you all for the quick turn around :) |
Thanks, guys, for the fast response! |
+1 ! |
+1
&
|
You don't need to keep adding +1 folks, the error is already fixed on master and will get released |
9.04 still facing the problem |
+1 macOS Big Sur 11.5 |
The fix for this issue is available now on v9.0.5 version. If you are on Postman v9.0 and above, do 'Check for Updates' to get access to this version. Looking forward to hearing if the issue is resolved at your end. [EDIT] If you are on Postman v8, v8.12.4 is available as well with the fix. |
Wow this was fast, installed and works perfect. |
Wow, you guys were really fast with this! Thank you very much! |
Thanks for fix, now works great in Postman v.9.0.5 |
The fix is now available on both v9 & v8 release lines via v9.0.5 & v8.12.4. Closing this issue. |
Postman Desktop Agent v0.3.9 is also experiencing this issue |
My electron application also shows' certificate has expired '. Can you share how to solve this problem? Thank you very much |
I thought the same thing as @drissfoo with it not working for me but working for colleagues, but they still had "verify ssl certs" disabled. |
I'm on Postman version 9.1.1 (Windows) and still having this issue. I had "verify ssl certs" disabled but enabled it because I'm getting similar errors when setting up webhooks from GitHub and OpenShift Container Platform and was wondering why I wasn't getting the error there. Looks like it is still a widespread issue, possibly all these services are pulling from the same source for their Trusted CAs. However, it looks like my web-browsers are the only apps that can verify certificates correctly at the moment... :( ... Fortunately (???), I can disable SSL verification with GitHub webhooks and in Postman but haven't figured out how to make OSCP less secure yet... It looks like I may have to adjust my expectations while waiting for everyone to adjust to CST (You thought DST was hard to adjust to, Covid Savings Time has everyone in a dream-like vacation daze). I would have thought that getting certificates to work properly would have been higher on peoples' priorities. |
+1 |
https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/ |
Nothing ritenow |
still have the same problem |
This issue happens when one of the certs in pem files is outdated. |
+1 |
Is there an existing issue for this?
Describe the Issue
I've seen that this problem has happened before: #8589
The problem started today. Postman says the SLL certificate is expired, but it's not:
We use Letsencrypt to deal with SSL on our APIs and believe it could have something to do with this: https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/
By now, I'm using the disable “SSL certificate verification” workaround.
This problem happened with version 9.0.3 and also with version 8~, because I tried to rollback to solve it, with no luck.
Also, when using the Postman Web, the issue is not happening. It only happens with the Native App version.
Steps To Reproduce
Screenshots or Videos
Postman error:
Checking the same SSL on Chromium:
Environment Information
Additional Context?
No response
The text was updated successfully, but these errors were encountered: