Re: BUG #17210: Postgres Let'sEncrypt root certificate is expired and breaks installation of postgres-client

On Fri, Oct 1, 2021 at 3:36 PM PG Bug reporting form <noreply(at)postgresql(dot)org>
wrote:

> The following bug has been logged on the website:
>
> Bug reference: 17210
> Logged by: Andres Ehrenpreis
> Email address: andres(dot)ehrenpreis(at)gmail(dot)com
> PostgreSQL version: 11.12
> Operating system: Ubuntu 16.04.7 LTS
> Description:
>
> When installing Postgres through Chef like this:
>
> # PostgreSQL database client:
> postgresql_client_install "Install PostgreSQL-client v11" do
> version "11"
> end
>
> Then server-deployment fails with the error as follows:
> [2021-10-01T12:06:52+00:00] ERROR: SSL Validation failure connecting to
> host: download.postgresql.org - SSL_connect returned=1 errno=0
> state=error:
> certificate verify failed (certificate has expired)
>
> Looks like download.postgresql.org cert-chain is broken.
>

Please don't cross-post the same question to multiple locations.

I will copy the response you already received, for anybody finding this in
the archives:

The certificate has not expired, but it is updated with the newer chain
from LetsEncrypt. This error is normally caused by your operating system
having a very old and unpatched version of OpenSSL on it. What operating
system and version are you running, and what's the version of your OpenSSL
packages?

I guess this one does include the operating system, being ubuntu 16.04. A
fully patched Ubuntu 16.04 should have no problem accessing the site using
the standard tools. So either your system is not fully patched, or Chef is
doing something differently, in which case you need to bring it up with
chef. (The standard install ways for PostgreSQL on Debian and Ubuntu does
not include the hostname download.postgresql.org anywhere)

--
Magnus Hagander
Me: https://www.hagander.net/ <http://www.hagander.net/>
Work: https://www.redpill-linpro.com/ <http://www.redpill-linpro.com/>