Server List Communication Issues - September 30, 2021

Important stuff goes here.
Post Reply
User avatar
blast
General
General
Posts: 4850
Joined: Fri Mar 21, 2003 3:49 pm
Location: playing.cxx
Contact:

Server List Communication Issues - September 30, 2021

Post by blast »

We use Let's Encrypt TLS certificates for communication with the server list. On September 30, 2021, an old root certificate for the Let's Encrypt certificates expired. So some old operating systems or systems without updates installed may be unable to communicate with the server list.

Here's Let's Encrypt's post about the expiration:
https://letsencrypt.org/docs/dst-root-c ... mber-2021/

Both the client system and server system needs to trust the "ISRG Root X1" certificate. Here is a partial list of systems that trust "ISRG Root X1":
  • Windows >= XP SP3 (assuming Automatic Root Certificate Update isn’t manually disabled)
  • macOS >= 10.12.1
  • iOS >= 10 (iOS 9 does not include it)
  • iPhone 5 and above can upgrade to iOS 10 and can thus trust ISRG Root X1
  • Android >= 7.1.1 (but Android >= 2.3.6 will work by default due to Let's Encrypt's special cross-sign)
  • Mozilla Firefox >= 50.0
  • Ubuntu >= xenial / 16.04 (with updates applied)
  • Debian >= jessie / 8 (with updates applied)
  • Java 8 >= 8u141
  • Java 7 >= 7u151
  • NSS >= 3.26
(Source: https://letsencrypt.org/docs/certificate-compatibility/)

A player on Windows 7 was unable to access the server list in the game (specifically getting a "Can't talk with list server" message), but after installing Microsoft's KB3004394 update, it worked again.

My Debian 9 server didn't have all its updates installed and none of the servers it was hosting were showing up on the list. After installing updates, which included some for curl and openssl, and restarting my bzfs servers, they were back on the list.
"In addition to knowing the secrets of the Universe, I can assure you that I am also quite potty trained." -Koenma (Yu Yu Hakusho)

Image
kbar
Private
Private
Posts: 3
Joined: Sat Sep 15, 2007 11:33 am

Re: Server List Communication Issues - September 30, 2021

Post by kbar »

I am having issues on Mac OS X. I have applied all of the OS patches, but am restricted to Mojave (10.14.6).

My system trusts the ISRG Root X1 certificate, and I can access the server through Safari, Chrome, and Firefox (https://my.bzflag.org/db/?action=LIST) but BZFlag 2.4.22 (and 2.4.20) cannot access it, first saying that the MOTD is unavailable, then saying "Can't talk with list server" when I try to see the server lists.

I can connect if I know the server, but of course cannot authenticate, so must use an unregistered name.
pikknikker_2
Private
Private
Posts: 2
Joined: Fri Apr 22, 2016 12:57 pm

Re: Server List Communication Issues - September 30, 2021

Post by pikknikker_2 »

I have the same problem as kbar. MacOS 10.13.6.
BZFlag 2.4.18 - 2.4.22.
User avatar
tainn
Private First Class
Private First Class
Posts: 255
Joined: Sun Nov 18, 2018 7:25 pm
Location: zone of the phantoms

Re: Server List Communication Issues - September 30, 2021

Post by tainn »

On Fedora, you can issue the following command to see whether you trust ISRG Root X1:

Code: Select all

trust list | grep -C 2 -i isrg
There shouldn't be any issues on the latest versions.
kbar
Private
Private
Posts: 3
Joined: Sat Sep 15, 2007 11:33 am

Re: Server List Communication Issues - September 30, 2021

Post by kbar »

My computer trusts the certificate... looks like it is some issue in the BZ Client on Mac OS.

Code: Select all

$ trust list | grep -C 2 -i isrg
pkcs11:id=...;type=cert
    type: certificate
    label: ISRG Root X1
    trust: anchor
    category: authority
User avatar
blast
General
General
Posts: 4850
Joined: Fri Mar 21, 2003 3:49 pm
Location: playing.cxx
Contact:

Re: Server List Communication Issues - September 30, 2021

Post by blast »

I'll be making some changes to the certificate generation that will help with older OSX versions and other systems with older versions of OpenSSL. So there may be some outages as I work on this. I believe systems will still need to have the ISRG Root X1 root certificate in order to validate the certificate.
"In addition to knowing the secrets of the Universe, I can assure you that I am also quite potty trained." -Koenma (Yu Yu Hakusho)

Image
User avatar
alfa1
Private First Class
Private First Class
Posts: 168
Joined: Tue Dec 04, 2012 10:21 pm

Re: Server List Communication Issues - September 30, 2021

Post by alfa1 »

On my Linux I got it to work by doing:

1) update all "openssl" packages (6, including "ca-certificates-mozilla") and, after they are installed, all "openssh" ones (2);
2) download the new certificate from https://letsencrypt.org/certs/isrgrootx1.pem , rename it to "ISRG_Root_X1.pem" and copy it to /usr/share/ca-certificates/mozilla ;
3) move "DST_Root_CA_X3.pem" from it to another place but outside of /usr/share/ca-certificates ; and
4) run "update-ca-certificates".

On my non-so-new and standalone Firefox (which seems independent of the previous packages):

(translated from Spanish)
1) go to Preferences/Advanced/Certificates/See Certificates;
2) look for "DST Root CA X3", click on it, go to "Edit Confidence" and uncheck "This certificate can identify web sites"; and
3) go to "Import" and select the new downloaded certificate file (renamed), select "Open" and check "Trust on this CA to identify web sites".

Thanks allejo, blast007 and catay from IRC/chat for helping me!
User avatar
blast
General
General
Posts: 4850
Joined: Fri Mar 21, 2003 3:49 pm
Location: playing.cxx
Contact:

Re: Server List Communication Issues - September 30, 2021

Post by blast »

I have updated the certificate generation on the main server and the download server. So older systems should be working now, as long as they have the ISRG Root X1 certificate installed.
"In addition to knowing the secrets of the Universe, I can assure you that I am also quite potty trained." -Koenma (Yu Yu Hakusho)

Image
chickenfarmer
Private First Class
Private First Class
Posts: 10
Joined: Sat Jan 03, 2009 2:29 am

Re: Server List Communication Issues - September 30, 2021

Post by chickenfarmer »

kbar and other Mac users,

You need to install the cert mentioned above by using Import in the "Keychain Access" program.

Once you import it (preferably into System for all users), you need to click on it, go to the Trust section and select Always Trust under "when using..."
pikknikker_2
Private
Private
Posts: 2
Joined: Fri Apr 22, 2016 12:57 pm

Re: Server List Communication Issues - September 30, 2021

Post by pikknikker_2 »

...back in the game! thx,blast!
No action required regarding the cert. The server action seemed to do the trick.
Post Reply