New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Bug]: Let's Encrypt root CA isn't working properly #31212
Comments
Hi, Exact same problem since the DST Root CA X3 expiration today. |
Hello, |
Ditto. |
Experiencing the same issue right now. |
Same here. |
Same on Electron 11 |
Same problem with an old electron 8.0 app, we didnt change anything since one year and it stop working today :
i try to renew my certifcate on server, no luck. |
Same issue on Windows node v14.18.0 Also regenerated the server cert. No joy |
Is there any alternative to Let's Encrypt that could be used while the problem is being worked on? |
For those that have this problem and control of the server, you might want to change to your certificate for one that is still valid. If your acme client allows you to change CA, you can try ZeroSSL ACME Certs to replace your current LetsEncrypt. Since ZeroSSL signing certificate has not changed, it might work where your current LetsEncrypt one won't (Note that I did not test this). |
One dirty workaround I found was to create a CA array and add it to the
Note that you cannot expand with |
Related thread with some findings on the LE forum, no solution yet: https://community.letsencrypt.org/t/issues-with-electron-and-expired-root/160991 The guidance from LE is to regenerate the certificate using the |
Follow up on my prior message, the proposed approach there has worked properly with two modifications: removing the
Hope this solution helps others to obtain a valid shortened certificate chain until the long term issue is resolved at the Electron level. |
Well, this is a particularly disastrous bug. Certificate chain is completely valid by every metric and using every client... except Electron. Problem is the same in 16.0.0-alpha.2 even. Node client is fine, all browsers we've tried on Windows and Mac, OpenSSL, every SSL checker I've run it through reports all is healthy and good across the certificate chain. All certificates freshly re-generated. We're pretty much dead in the water at the moment. |
Thanks @aaclayton, that fix seems to work fine for us. |
I tried @aaclayton's fix but my Electron app still refuses. I'm on Electron 14.0.0 and the server is using an Apache. I just force-renewed the certificates using the ISRG root as a preferred chain root, incl. restart and all that yadda yadda, but unfortunately unsuccessful. |
We (Postman.com) have a potential fix. Running some further tests and sending a PR if it all goes fine. |
For those who still have the problem. We were using the fullchain.cer containing the certificate, the R3 and the new ISRG Root X1 We just removed the X1 from the fullchain.cer and like pure magic electron is back on again :) Hope it helps |
Here is the official Let's Encrypt statement: https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/ I tried using this solution...
... but my version of certbot (0.31.0) does not support the --preferred-chain option. Since I am running debian 10, 0.31.0 is the latest version. |
Here is the PR: #31213. It seems to work fine for us but if you could also give it a spin, that would be great! |
As suggested here, removing the last certificate present in |
@benmordecai Yeah they stopped shipping Certbot updates via APT a while ago, I had to notice as well. They now offer snap packages. Just follow their instructions here to update to the newest version |
FYI If you're using Caddy the following worked for me:
I had to remove my current certificates, and restart caddy. |
If u use
P.S. same problem with certs on electron@11.4.3 |
I solved the problem by buying a $15 certificate after two and a half hours of fruitless searching. Users of my application have been blocked for too long... Now i can wait one year for a fix ! |
replacing the cert worked for us also |
was this issue closed by commit? pretty interested in if this is already fixed. Btw I figured out that this is not an issue in nodejs apps |
|
@Derkades ty very much for your help! can you help me to figure out on what releases this fix was deployed. i am struggling find that in release notes. already migrated to v15 latest version but error resist. topic is pretty urgent in my company :/ |
Totally annoying. I've tried every command in this thread to no avail. I've still got the "unrecognized arguments: --preferred_chain=ISRG Root X1" error from certbot on a Debian system. |
You can skip it with |
Please don't suggest |
@s-a : electron 15.1.2 works for me. Did you try to remove node_modules dir and npm install? IMHO the best solution is using temporarly trustSSL (they have also a free 30 day cert, with quick email validation), fix the electron app and return to let's encrypt. |
@datacosmos Yes, but nevertheless you are right! I am stupid. Thanks for confirmation 😅 |
works well! Please consider removing the same cert from the chain.pem file as well to prevent this error:
|
Fixes: electron#31212 Signed-off-by: Juan Cruz Viotti <jv@jviotti.com>
Fixes: electron#31212 Signed-off-by: Juan Cruz Viotti <jv@jviotti.com>
Fixes: electron#31212 Signed-off-by: Juan Cruz Viotti <jv@jviotti.com>
This suggestion is what I am using. In my case, it's with the version of Electron provided by Expo. |
On a few computers when I try to load my site, I get the error ERR_CERT_DATE_INVALID, and when I configure it to ignore certificate errors, I get the error ERR_TIMED_OUT Electron 22.3.4 |
Preflight Checklist
Electron Version
15.0.0
Reproduced on Electron 12, 13, 14
What operating system are you using?
Other Linux
Operating System Version
Arch Linux rolling
What arch are you using?
x64
Last Known Working Electron version
No response
Expected Behavior
The request to
https://letsencrypt.org
(or any Let's Encrypt secured website) should work in the main process as the certificate chain seems valid.Actual Behavior
It doesn't work in the main process. However, it works in the renderer (with standard Fetch API) or in Node 16.5 REPL (also with Axios).
Testcase Gist URL
https://gist.github.com/fc9cc8d91df7d02f211698f9aceb0087
Additional Information
I think it's probably related to the recent expiry of DST Root CA X3 but strangely enough, it's working properly on the renderer and in a single Node app?
My understanding is that by default, Node.js uses a capture of the Mozilla trust CA, could it be that the Electron one is unsynced?
The text was updated successfully, but these errors were encountered: