Letsencrypt root CA certificate expiration

The root CA certificate for Letsencrypt expires today. They have changed to a new provider, but some older systems or libraries do not support it. I am able to browse to my Joplin server that is signed with a Letsencrypt cert, but Joplin reports certificate expired.

For reference: https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/

For other support queries please indicate:

  • Joplin 2.4.9 (prod, darwin)
  • MacOS 11.6
  • syncing with Joplin server docker image through Traefik revers proxy
4 Likes

Same here! I'm using the flatpak version. Joplin 2.4.9.

Luckily, we can temporarily "ignore TLS errors" in the advanced settings under the synchronization section.

Anyone knows how to fix this?

Edit: I'm watching this thread and will try to provide a solution as soon as one is available: [Bug]: Let's Encrypt root CA isn't working properly · Issue #31212 · electron/electron · GitHub

1 Like

This was driving me absolutely nuts until I found out that many people are running into this same issue. If I understand right something in Joplin needs to be changed to correct this? Or does my admin need to fix something on the server side?

Something will need to be fixed on the app but it's unclear what at this point. In the meantime you should be able to fix the server using this method: [Bug]: Let's Encrypt root CA isn't working properly · Issue #31212 · electron/electron · GitHub

looks like they have a proposed fix

I think there's an unfortunate chance that this might only end up applied to the actively supported Electron versions, (13, 14, 15). Since this problem effectively breaks every Electron version prior, I doubt they'd rebuild earlier releases because there has to be a line drawn somewhere (there's people saying this effects Electron 8 that they're still actively using for example).

looks like it's only a few lines of code for the fix if that is the verified fix couldn't someone just backport it into the older version of electron?

The backporting might be fairly trivial, but the build process for Electron takes hours to days even on dedicated machinery, combined with multiple versions and multiple architectures, I doubt Microsoft would bother with anything that isn't officially supported still.

npm doesn't build Electron, it downloads pre-compiled binaries. Building it just takes forever.

For example, setting up Chromium on ARM64 takes Ubuntu/Canonical 3 days.

okay so it sounds like fix it on the backend because the app may be fixed basically never.

I'm really hoping they'll consider backporting the fix because it's a major problem for thousands of apps out there, and many of these can't easily upgrade Electron.

Ok looks like they'll only backport to v12 and we're on v10. There's a version that's no good for us due to sandbox changes but I forgot which one (maybe v13? :crossed_fingers:) . Hopefully we can at least upgrade to v12 without too much trouble.

fix: Enable X509_V_FLAG_TRUSTED_FIRST flag in BoringSSL by jviotti · Pull Request #31213 · electron/electron · GitHub

2 Likes

I assume whatever is implemented is going to take quite some time?

No ETA but it bothers me enough that I'll probably look at it quite soon.

I have the same issue with Joplin on my Windows. I was able to fix the Chrome having issues with LE sites by installing their root cert into the Windows cert store but Joplin (also guessing all other Electron apps) do not accept that solution.

use this one instead: