|
Oh my gosh! Thank you. I am a newbie when it comes to certificates. I am only using tls for outbound calls. I thought I shouldn't need a certificate when doing outbound only [a client] but was getting some weird error. After I read your email I simply commented out both "certificate" lines in my configuration and it works!!! One last question. I don't need certbot at all then, right? Thanks again, Ray Viktor Dukhovni wrote: > On Tue, Nov 01, 2022 at 05:55:08AM -0500, Ray Crumrine wrote: > >> SSL SSL_ERROR_SSL (Handshake): Level: 0 err: <336151573> <SSL >> routines-ssl3_read_bytes-sslv3 alert certificate expired> > Is this logged by the TLS client or server? In other words are you > running a client application making outgoing connections or a server > application receiving incoming connections? > >> but not all of the time. Only when I try to access >> us-east-va.sip.flowroute using tlsv1.2. > This sounds like "client". TLS alerts are sent by the other end of the > connection, so if you're getting "certificate expired" alerts from a > server, that means that your client is *sending* an expired certificate > to the server (which must have solicited, possibly optional, client > certificates). The server in question does send certificate requests: > > Transport Layer Security > TLSv1.2 Record Layer: Handshake Protocol: Certificate Request (fragment) > Content Type: Handshake (22) > Version: TLS 1.2 (0x0303) > Length: 16384 > Handshake Protocol: Certificate Request (fragment) > ... > >> I have tried two other sites using the same configuration and they work >> fine. Is there a simple configuration change or do I need Openssl v3.0? > The other sites presumably don't solicit client certificates. The > simplest choice is to not configure a client certificate unless you're > sure you're going to need one. > >> Checking with >> https://decoder.link/sslchecker/us-east-va.sip.flowroute.com/5061 >> everything checks fine??? > The probe does not send expired client certs. > |
