Rocket.chat: SSL certificate expired of https://releases.rocket.chat

Created on 30 May 2020 · 9Comments · Source: RocketChat/Rocket.Chat

When updating RC i get an cerificate expiration error:

curl -L https://releases.rocket.chat/latest/download -o /tmp/rocket.chat.tgz

% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0

curl: (60) SSL certificate problem: certificate has expired
More details here: https://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.

Source

ParkHost

Most helpful comment

Just for transparency here we were effected by one of the upstream CA's certificates expiring - https://support.sectigo.com/articles/Knowledge/Sectigo-AddTrust-External-CA-Root-Expiring-May-30-2020

We've gotten the certificates reissued and should not be a problem any more. Thanks for reporting!

geekgonecrazy on 1 Jun 2020

👍3

All 9 comments

I'm seeing another issue I suspect is related to this - push notifications from my server stopped working today, and logs are throwing a cert expiry error:

I20200531-04:44:58.320(0) server.js:204 System ➔ error Error sending push to gateway (4 try) -> { Error: certificate has expired at TLSSocket.<anonymous> (_tls_wrap.js:1116:38) at emitNone (events.js:106:13) at TLSSocket.emit (events.js:208:7) at TLSSocket._finishInit (_tls_wrap.js:643:8) at TLSWrap.ssl.onhandshakedone (_tls_wrap.js:473:38) code: 'CERT_HAS_EXPIRED' }

Running openssl s_client -connect gateway.rocket.chat:443 shows certificate expired as well. Appears to be related to a cross-signed cert expiring: https://support.sectigo.com/articles/Knowledge/Sectigo-AddTrust-External-CA-Root-Expiring-May-30-2020

Ishindri on 31 May 2020

423627AB-9B73-43E9-9D95-FD5F961C421E

Is this still an issue? I was able to go to https://releases.rocket.chat/latest/info

graywolf336 on 31 May 2020

Interestingly, when I run curl I can connect to gateway.rocket.chat:443 without issue, but I still see the following logs on the server:

I20200531-10:09:32.629(-4) server.js:212
System ➔ error Error seinding push to gateway (4 try) -> { Error: certificate has expired     at TLSSocket.<anonymous> (_tls_wrap.js:1105:38)     at emitNone (events.js:106:13)     at TLSSocket.emit (events.js:208:7)     at TLSSocket._finishInit (_tls_wrap.js:639:8)     at TLSWrap.ssl.onhandshakedone (_tls_wrap.js:469:38) code: 'CERT_HAS_EXPIRED' }

I’m wondering if something is being cached on the server side — or maybe the underlying version of Javascript isn’t compatible with the new trust anchors as is stated in the above article?

ominousp0tat0 on 31 May 2020

This kind of looks like a wide-spread problem with push notifications - we are seeing certificate errors with push notifications on multiple instances.

We are running the snap instance of rocket.chat, version 2.4.11 Rev 1427