Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

'Certificate has expired' error for Let's Encrypt certificates (DST Root CA X3 issued) #10338

Closed
1 task done
felipeabou opened this issue Sep 30, 2021 · 38 comments
Closed
1 task done

Comments

@felipeabou
Copy link

felipeabou commented Sep 30, 2021

Is there an existing issue for this?

  • I have searched the existing issues

Describe the Issue

I've seen that this problem has happened before: #8589

The problem started today. Postman says the SLL certificate is expired, but it's not:
image

We use Letsencrypt to deal with SSL on our APIs and believe it could have something to do with this: https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/

By now, I'm using the disable “SSL certificate verification” workaround.

This problem happened with version 9.0.3 and also with version 8~, because I tried to rollback to solve it, with no luck.

Also, when using the Postman Web, the issue is not happening. It only happens with the Native App version.

Steps To Reproduce

  1. Try to hit any API that uses Letsencrypt to deal with SSL certificates.

Screenshots or Videos

Postman error:
image

Checking the same SSL on Chromium:
image

Environment Information

- Operating System: Ubuntu 20.02
- Platform Type: Native App
- Postman Version: 9.0.3

Additional Context?

No response

@adamsommer
Copy link

+1

- Operating System: macOS 10.15.7
- Postman Version: 9.0.3

@numaanashraf
Copy link
Member

Postman v8 and v9 seems to be impacted by the recent cert expiry https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/. We are investigating this now.

@numaanashraf
Copy link
Member

As a workaround, please turn off SSL verification via Settings > General.

Screenshot 2021-09-30 at 8 53 58 PM

@numaanashraf numaanashraf changed the title Postman says the SLL certificate is expired, but it's not 'Certificate has expired' error for certificate issuer R3 Sep 30, 2021
@amurrell
Copy link

+1

also using lets encrypt and valid certs till nov 1st - acting up today. Upgraded to latest postman version and it's still not working. Disabled ssl verification for now.

@taconi
Copy link

taconi commented Sep 30, 2021

+1

  • OS: Ubuntu 21.04
  • Kernel Release: 5.11.0-37-generic
  • Postman Version: 8.12.2

@idkw
Copy link

idkw commented Sep 30, 2021

Same :

  • OS : Linux Mint 20
  • Kernel : 5.4.0-88-generic
  • Postman : 8.11.1

@Ray-B
Copy link

Ray-B commented Sep 30, 2021

+1

  • OS: Big Sur 11.6
  • Postman: 9.0.3

@numaanashraf
Copy link
Member

Thanks for your patience everyone. We have identified the issue and are testing out a potential fix internally. Once we have the fix verified, we'll release a patch on our v8.x and v9.x release lines.

@trixie88
Copy link

trixie88 commented Sep 30, 2021

+1
postman V: 9.0.3

@mikeamcbrien
Copy link

+1

  • OS: Big Sur 11.6
  • Postman: 9.0.3

@danielgelling
Copy link

Also on:

  • Postman Version 8.12.1
  • OS X 20.6.0 / x64

@Freyert
Copy link

Freyert commented Sep 30, 2021

The LetsEncrypt expiration is a bit confusing because the expired certificate is left in the chain for backwards compatibility purposes from what we've read on their blog.

So there are two paths for the certificates, the new shorter valid path, and the longer expired path.

That is to say the issue is likely not that the trust store is missing a certificate, but that postman is ignoring the valid certificate path.

Update:

If postman is using a version of NodeJS older than 5 years it's likely they don't have the ISRG Root X1 in the trust chain.

https://github.com/nodejs/node/blame/master/src/node_root_certs.h#L2602-L2631

If someone wants to try you can extend the built in certificates via the environment variable NODE_EXTRA_CA_CERTS nodejs/node#9139

Update 2:

I've tried manually adding the CA for ISRG Root X1 from NodeJS to no avail. It's likely a conflict in the TLS resolution paths. If you want to try yourself just copy and paste the certificate I linked here into a file ending with .pem and import it into postman as you are accustomed to.

I don't know much about Postman so maybe someone can figure out how to get more details from there or correctly configure the certificate.

@numaanashraf
Copy link
Member

@Freyert Postman uses Electron, which has a non-standard Node + BoringSSL integration. We believe this is happening cuz boringSSL is not configured to prefer the shorter part by default. We have patched this internally and is also working on upstreaming this.

electron/electron#31213

@Freyert
Copy link

Freyert commented Sep 30, 2021

@numaanashraf thanks for the transparency! I was a bit in the dark from the older issues on what was fixed last time. Thank you all for the quick turn around :)

@felipeabou
Copy link
Author

Thanks, guys, for the fast response!

@cfecherolle
Copy link

+1 !
OS : Big Sur 11.2.2
Postman : 9.0.3
Indeed, the problem occurs when hitting URLs from domains with Let's Encrypt certificates.

@kabadabra
Copy link

+1

  • OS: Big Sur 11.6
  • Postman: 9.0.3
  • Let's Encrypt Certificate

&

  • OS: Windows 10 21H1 Build 19043.1237
  • Postman: 9.0.3
  • Let's Encrypt Certificate

@karelbilek
Copy link

You don't need to keep adding +1 folks, the error is already fixed on master and will get released

@CleverHosting
Copy link

9.04 still facing the problem

@numaanashraf numaanashraf changed the title 'Certificate has expired' error for certificate issuer R3 'Certificate has expired' error for Let's Encrypt certificates (DST Root CA X3 issued) Oct 1, 2021
@tomswinkels
Copy link

+1

macOS Big Sur 11.5
Postman 9.0.3

@numaanashraf
Copy link
Member

numaanashraf commented Oct 1, 2021

The fix for this issue is available now on v9.0.5 version. If you are on Postman v9.0 and above, do 'Check for Updates' to get access to this version. Looking forward to hearing if the issue is resolved at your end.

[EDIT] If you are on Postman v8, v8.12.4 is available as well with the fix.

@goran-insby
Copy link

Wow this was fast, installed and works perfect.

@numaanashraf numaanashraf self-assigned this Oct 1, 2021
@felipeabou
Copy link
Author

Wow, you guys were really fast with this! Thank you very much!
Using version 9.0.5 and everything is working perfectly.

@cretara
Copy link

cretara commented Oct 1, 2021

Thanks for fix, now works great in Postman v.9.0.5

@numaanashraf
Copy link
Member

The fix is now available on both v9 & v8 release lines via v9.0.5 & v8.12.4. Closing this issue.

@drissfoo
Copy link

drissfoo commented Oct 6, 2021

Still have this issue for the last version v9.0.5 for macOS Big Sur 11.4
Certificate is valid til 31 October. Seems like a random issue happening only to me and not my colleagues.
Screenshot 2021-10-06 at 17 38 36
"Screenshot 2021-10-06 at 17 40 50
Screenshot 2021-10-06 at 17 42 46

@nhanledev
Copy link

Postman Desktop Agent v0.3.9 is also experiencing this issue

@zhuww0236
Copy link

The fix for this issue is available now on v9.0.5 version. If you are on Postman v9.0 and above, do 'Check for Updates' to get access to this version. Looking forward to hearing if the issue is resolved at your end.

[EDIT] If you are on Postman v8, v8.12.4 is available as well with the fix.

My electron application also shows' certificate has expired '. Can you share how to solve this problem? Thank you very much

@dan-j
Copy link

dan-j commented Oct 12, 2021

I thought the same thing as @drissfoo with it not working for me but working for colleagues, but they still had "verify ssl certs" disabled.

Screenshot 2021-10-12 at 13 52 38

@evpill
Copy link

evpill commented Oct 26, 2021

I'm on Postman version 9.1.1 (Windows) and still having this issue. I had "verify ssl certs" disabled but enabled it because I'm getting similar errors when setting up webhooks from GitHub and OpenShift Container Platform and was wondering why I wasn't getting the error there. Looks like it is still a widespread issue, possibly all these services are pulling from the same source for their Trusted CAs. However, it looks like my web-browsers are the only apps that can verify certificates correctly at the moment... :( ... Fortunately (???), I can disable SSL verification with GitHub webhooks and in Postman but haven't figured out how to make OSCP less secure yet...

It looks like I may have to adjust my expectations while waiting for everyone to adjust to CST (You thought DST was hard to adjust to, Covid Savings Time has everyone in a dream-like vacation daze). I would have thought that getting certificates to work properly would have been higher on peoples' priorities.

@davidaugustus-focusmate

Seeing the same issue on Postman version 9.0.9 (MacOS, Chrome)

Screen Shot 2021-10-28 at 1 46 41 PM

Screen Shot 2021-10-28 at 1 47 02 PM

Screen Shot 2021-10-28 at 1 47 27 PM

@bumblefudge
Copy link

Same here,
Windows 10 x64
Postman Agent W64 v0.3.9
image

@vivekmittal
Copy link

+1

@superboyiii
Copy link

https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/
See here. It's a dependency issue. Please update your OS dependency to the latest, then make POST or GET to the server with DST Root CA X3

@johnathany505
Copy link

Nothing ritenow

@AmiinaAhmed
Copy link

still have the same problem
OS: Windows 10
Postman v9.4.0 is the latest version.
and it is needed to disable the SSL certificate to works (however I have a warning)

@KamilWitkowski7
Copy link

KamilWitkowski7 commented Feb 17, 2022

This issue happens when one of the certs in pem files is outdated.
In my case removing the outdated cert from the pem file made this issue disappear.

@AlejandroDaneri
Copy link

+1

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests