'Certificate expired' error on a valid cert
Versions
- OS: Windows 10 21H1
- Gajim version: 1.3.2
- GTK version: 3.24.29
- Python-nbxmpp version: 2.0.2
Description
I am using SSL connection to ejabberd server with a Let's Encrypt-generated certificate. The certificate self-renews every 3 months and is valid through 25.11.2021 but Gajim failed to validate it with a 'The certificate is expired' message. I use the same certificate for https and the browser is happy with it. Certbot also confirms that the certificate is not due for renewal. The time on the client PC is set correctly. This setup has worked for the past four years. Honestly, I am stumped.
Debug log:
01.10.2021 01:47:46 (I) nbxmpp.connection | (heap.ovh) Start TLS negotiation
01.10.2021 01:47:46 (I) nbxmpp.stream | (heap.ovh) Start stream
01.10.2021 01:47:46 (I) nbxmpp.stream | (heap.ovh) Set state: StreamState.WAIT_FOR_STREAM_START
01.10.2021 01:47:47 (I) nbxmpp.connection | (heap.ovh) Found TLS certificate errors: {<flags G_TLS_CERTIFICATE_EXPIRED of type Gio.TlsCertificateFlags>}
01.10.2021 01:47:47 (I) nbxmpp.connection | (heap.ovh) Signal: bad-certificate
01.10.2021 01:47:47 (I) nbxmpp.stream | (heap.ovh) Set error: StreamError.BAD_CERTIFICATE, bad certificate, None
01.10.2021 01:47:47 (I) nbxmpp.connection | (heap.ovh) Signal: certificate-set
01.10.2021 01:47:47 (I) nbxmpp.connection | (heap.ovh) Certificate Error: g-tls-error-quark: Unacceptable TLS certificate (2)
01.10.2021 01:47:47 (I) nbxmpp.connection | (heap.ovh) Remove keepalive timer
01.10.2021 01:47:47 (I) nbxmpp.connection | (heap.ovh) Set Connection State: TCPState.DISCONNECTED
01.10.2021 01:47:47 (I) nbxmpp.connection | (heap.ovh) Signal: disconnected
01.10.2021 01:47:47 (I) nbxmpp.stream | (heap.ovh) Set state: StreamState.DISCONNECTED
01.10.2021 01:47:47 (I) nbxmpp.stream | (heap.ovh) Signal: disconnected
01.10.2021 01:47:47 (I) gajim.client | Disconnect heap.ovh
Certificate check:
# openssl x509 -in /etc/ejabberd/fullchain.pem -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
04:28:5a:47:bc:64:36:19:34:85:a2:b2:13:86:3c:c6:93:13
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = US, O = Let's Encrypt, CN = R3
Validity
Not Before: Aug 27 09:01:58 2021 GMT
Not After : Nov 25 09:01:57 2021 GMT
Subject: CN = *.heap.ovh