• If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
    CentOS2Alma discussion

Issue PHP imap_open + ADDTrust External CA Root Expiration

Epic Voyage

Epic Voyage

New Pleskian
Today I have started to receive these errors for a PHP script which connects to the Plesk IMAP server:

PHP Fatal error: Uncaught Exception: Error connecting to IMAP server [example.com]:993 with SSL as [username]: Certificate failure for [example.com]: certificate has expired: /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root in /var/www/vhosts/[example.com]/plugins/Imap/cron.php:104
Stack trace:
#0 {main}
thrown in /var/www/vhosts/[example.com]/plugins/Imap/cron.php on line 104
PHP Notice: Unknown: Certificate failure for [example.com]: certificate has expired: /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root (errflg=2) in Unknown on line 0
Click to expand...

It does appear that the root certificate expires today, but certificates are supposed to be cross-signed. This error is occurring when calling PHP's imap_open function, so it looks like a configuration issue with PHP. I have tried to run the script with the latest PHP interpreter manually and have the same issue:

# /opt/plesk/php/7.3/bin/php cron.php
Click to expand...

CentOS Linux 7.8.2003 (Core)

Plesk Obsidian
Version 18.0.27 Update #1, last updated on May 30, 2020 06:01 PM

# yum update
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
* base: centos.mirror.vexxhost.com
* epel: mirror.dst.ca
No packages marked for update
Click to expand...

OpenSSL from the same server reports that the certificate is still valid:

# openssl s_client -showcerts -connect [example.com]:993 -servername [example.com]
CONNECTED(00000003)
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN = [example.com]
verify return:1
---
Certificate chain
0 s:/CN=[example.com]
i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
-----BEGIN CERTIFICATE-----
[...]
-----END CERTIFICATE-----
1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
i:/O=Digital Signature Trust Co./CN=DST Root CA X3
-----BEGIN CERTIFICATE-----
MIIEkjCCA3qgAwIBAgIQCgFBQgAAAVOFc2oLheynCDANBgkqhkiG9w0BAQsFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTE2MDMxNzE2NDA0NloXDTIxMDMxNzE2NDA0Nlow
SjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUxldCdzIEVuY3J5cHQxIzAhBgNVBAMT
GkxldCdzIEVuY3J5cHQgQXV0aG9yaXR5IFgzMIIBIjANBgkqhkiG9w0BAQEFAAOC
AQ8AMIIBCgKCAQEAnNMM8FrlLke3cl03g7NoYzDq1zUmGSXhvb418XCSL7e4S0EF
q6meNQhY7LEqxGiHC6PjdeTm86dicbp5gWAf15Gan/PQeGdxyGkOlZHP/uaZ6WA8
SMx+yk13EiSdRxta67nsHjcAHJyse6cF6s5K671B5TaYucv9bTyWaN8jKkKQDIZ0
Z8h/pZq4UmEUEz9l6YKHy9v6Dlb2honzhT+Xhq+w3Brvaw2VFn3EK6BlspkENnWA
a6xK8xuQSXgvopZPKiAlKQTGdMDQMc2PMTiVFrqoM7hD8bEfwzB/onkxEz0tNvjj
/PIzark5McWvxI0NHWQWM6r6hCm21AvA2H3DkwIDAQABo4IBfTCCAXkwEgYDVR0T
AQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAYYwfwYIKwYBBQUHAQEEczBxMDIG
CCsGAQUFBzABhiZodHRwOi8vaXNyZy50cnVzdGlkLm9jc3AuaWRlbnRydXN0LmNv
bTA7BggrBgEFBQcwAoYvaHR0cDovL2FwcHMuaWRlbnRydXN0LmNvbS9yb290cy9k
c3Ryb290Y2F4My5wN2MwHwYDVR0jBBgwFoAUxKexpHsscfrb4UuQdf/EFWCFiRAw
VAYDVR0gBE0wSzAIBgZngQwBAgEwPwYLKwYBBAGC3xMBAQEwMDAuBggrBgEFBQcC
ARYiaHR0cDovL2Nwcy5yb290LXgxLmxldHNlbmNyeXB0Lm9yZzA8BgNVHR8ENTAz
MDGgL6AthitodHRwOi8vY3JsLmlkZW50cnVzdC5jb20vRFNUUk9PVENBWDNDUkwu
Y3JsMB0GA1UdDgQWBBSoSmpjBH3duubRObemRWXv86jsoTANBgkqhkiG9w0BAQsF
AAOCAQEA3TPXEfNjWDjdGBX7CVW+dla5cEilaUcne8IkCJLxWh9KEik3JHRRHGJo
uM2VcGfl96S8TihRzZvoroed6ti6WqEBmtzw3Wodatg+VyOeph4EYpr/1wXKtx8/
wApIvJSwtmVi4MFU5aMqrSDE6ea73Mj2tcMyo5jMd6jmeWUHK8so/joWUoHOUgwu
X4Po1QYz+3dszkDqMp4fklxBwXRsW10KXzPMTZ+sOPAveyxindmjkW8lGy+QsRlG
PfZ+G6Z6h7mjem0Y+iWlkYcV4PIWL1iwBi8saCbGS5jN2p8M+X+Q7UNKEkROb3N6
KOqkqm57TH2H3eDJAkSnh6/DNFu0Qg==
-----END CERTIFICATE-----
---
Server certificate
subject=/CN=[example.com]
issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 3256 bytes and written 435 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES128-GCM-SHA256
Session-ID: 92FF7FF4CFA5D62C5EEC383C4799D81DFAF0C0C30EC06444C3C60B0A9D8BB3D8
Session-ID-ctx:
Master-Key: 4EA185BBFA89A6ECF05A7B6DFEB96EFCC6037831F0B35F995EA95D9A7C1E7AD8D2646E57C87DD2FF2475DF0CAFE67552
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - 31 7d 56 07 6f ee 7c 2f-ab a4 63 64 e9 5b 81 6b 1}V.o.|/..cd.[.k
0010 - ed f6 6b 46 22 f5 06 46-e6 72 e7 f8 fd 24 fa 10 ..kF"..F.r...$..
0020 - 7b 99 41 00 b9 c3 9f 37-13 45 48 d6 21 76 10 8d {.A....7.EH.!v..
0030 - ec c2 1c e6 39 05 5f f2-43 e6 db 45 41 a1 ca 50 ....9._.C..EA..P
0040 - 18 f2 16 b5 8d e4 7b 4d-f9 e8 49 4a 7c e6 e0 16 ......{M..IJ|...
0050 - 6f 0f a9 95 dc 23 6a 81-47 50 e7 3a 3b be 4a ae o....#j.GP.:;.J.
0060 - cb 6b a7 e4 d7 24 36 35-46 8d 6f 22 03 22 51 1e .k...$65F.o"."Q.
0070 - cc da 8b a9 0f bd e9 3c-20 1a d5 2c d4 f7 be 09 .......< ..,....
0080 - 4f f7 db 9f 28 c7 9a 68-19 74 bd 87 39 f5 e9 e1 O...(..h.t..9...
0090 - fb cb eb 8d 22 39 e6 64-b6 1f 50 a0 c6 e4 c0 9b ...."9.d..P.....
00a0 - 14 1e 65 b0 68 61 a3 17-d2 d4 92 dd 31 f4 75 f2 ..e.ha......1.u.

Start Time: 1590883149
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
* OK [CAPABILITY IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE IDLE LITERAL+ AUTH=PLAIN AUTH=LOGIN AUTH=DIGEST-MD5 AUTH=CRAM-MD5] Dovecot ready.
Click to expand...

How should I update the root certificates for the Plesk-managed PHP interpreter?
 
Last edited:
For anyone else who runs into this, it appears to be an RHEL issue and can be temporarily worked around by editing /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem to remove this certificate:

Code: 
# AddTrust External Root
-----BEGIN CERTIFICATE-----
MIIENjCCAx6gAwIBAgIBATANBgkqhkiG9w0BAQUFADBvMQswCQYDVQQGEwJTRTEU
MBIGA1UEChMLQWRkVHJ1c3QgQUIxJjAkBgNVBAsTHUFkZFRydXN0IEV4dGVybmFs
IFRUUCBOZXR3b3JrMSIwIAYDVQQDExlBZGRUcnVzdCBFeHRlcm5hbCBDQSBSb290
MB4XDTAwMDUzMDEwNDgzOFoXDTIwMDUzMDEwNDgzOFowbzELMAkGA1UEBhMCU0Ux
FDASBgNVBAoTC0FkZFRydXN0IEFCMSYwJAYDVQQLEx1BZGRUcnVzdCBFeHRlcm5h
bCBUVFAgTmV0d29yazEiMCAGA1UEAxMZQWRkVHJ1c3QgRXh0ZXJuYWwgQ0EgUm9v
dDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALf3GjPm8gAELTngTlvt
H7xsD821+iO2zt6bETOXpClMfZOfvUq8k+0DGuOPz+VtUFrWlymUWoCwSXrbLpX9
uMq/NzgtHj6RQa1wVsfwTz/oMp50ysiQVOnGXw94nZpAPA6sYapeFI+eh6FqUNzX
mk6vBbOmcZSccbNQYArHE504B4YCqOmoaSYYkKtMsE8jqzpPhNjfzp/haW+710LX
a0Tkx63ubUFfclpxCDezeWWkWaCUN/cALw3CknLa0Dhy2xSoRcRdKn23tNbE7qzN
E0S3ySvdQwAl+mG5aWpYIxG3pzOPVnVZ9c0p10a3CitlttNCbxWyuHv77+ldU9U0
WicCAwEAAaOB3DCB2TAdBgNVHQ4EFgQUrb2YejS0Jvf6xCZU7wO94CTLVBowCwYD
VR0PBAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wgZkGA1UdIwSBkTCBjoAUrb2YejS0
Jvf6xCZU7wO94CTLVBqhc6RxMG8xCzAJBgNVBAYTAlNFMRQwEgYDVQQKEwtBZGRU
cnVzdCBBQjEmMCQGA1UECxMdQWRkVHJ1c3QgRXh0ZXJuYWwgVFRQIE5ldHdvcmsx
IjAgBgNVBAMTGUFkZFRydXN0IEV4dGVybmFsIENBIFJvb3SCAQEwDQYJKoZIhvcN
AQEFBQADggEBALCb4IUlwtYj4g+WBpKdQZic2YR5gdkeWxQHIzZlj7DYd7usQWxH
YINRsPkyPef89iYTx4AWpb9a/IfPeHmJIZriTAcKhjW88t5RxNKWt9x+Tu5w/Rw5
6wwCURQtjr0W4MHfRnXnJK3s9EK0hZNwEGe6nQY1ShjTK3rMUUKhemPR5ruhxSvC
Nr4TDea9Y355e6cJDUCrat2PisP29owaQgVR1EX1n6diIWgVIEM8med8vSTYqZEX
c4g/VhsxOBi0cQ+azcgOno4uG+GMmIPLHzHxREzGBHNJdmAPx/i9F4BrLunMTA5a
mnkPIAou1Z5jJh5VkpTYghdae9C8x49OhgQ=
-----END CERTIFICATE-----

Source
 
You must log in or register to reply here.

Similar threads

T
Resolved Lets Encrypt root certificate expiration on 30 September 2021
2
Replies
31
Views
20K
futureweb
futureweb
E
Issue Nginx 400 bad request with api call (php curl)
Replies
0
Views
3K
Erwan
E
websavers
Forwarded to devs PHP libcurl fails to populate certinfo array
Replies
2
Views
3K
websavers
websavers
Dukemaster
Resolved HSTS doesn't work anymore
2
Replies
33
Views
8K
virtubox
virtubox
O
SSL certificate and SSO server
Replies
9
Views
4K
IgorG
IgorG
Back
Top