Official forums for BZFlag.org

We use Let's Encrypt TLS certificates for communication with the server list. On September 30, 2021, an old root certificate for the Let's Encrypt certificates expired. So some old operating systems or systems without updates installed may be unable to communicate with the server list.

Here's Let's Encrypt's post about the expiration:
https://letsencrypt.org/docs/dst-root-c ... mber-2021/

Both the client system and server system needs to trust the "ISRG Root X1" certificate. Here is a partial list of systems that trust "ISRG Root X1":

• Windows >= XP SP3 (assuming Automatic Root Certificate Update isn’t manually disabled)
• macOS >= 10.12.1
• iOS >= 10 (iOS 9 does not include it)
• iPhone 5 and above can upgrade to iOS 10 and can thus trust ISRG Root X1
• Android >= 7.1.1 (but Android >= 2.3.6 will work by default due to Let's Encrypt's special cross-sign)
• Mozilla Firefox >= 50.0
• Ubuntu >= xenial / 16.04 (with updates applied)
• Debian >= jessie / 8 (with updates applied)
• Java 8 >= 8u141
• Java 7 >= 7u151
• NSS >= 3.26

(Source: https://letsencrypt.org/docs/certificate-compatibility/)

A player on Windows 7 was unable to access the server list in the game (specifically getting a "Can't talk with list server" message), but after installing Microsoft's KB3004394 update, it worked again.

My Debian 9 server didn't have all its updates installed and none of the servers it was hosting were showing up on the list. After installing updates, which included some for curl and openssl, and restarting my bzfs servers, they were back on the list.

I am having issues on Mac OS X. I have applied all of the OS patches, but am restricted to Mojave (10.14.6).

My system trusts the ISRG Root X1 certificate, and I can access the server through Safari, Chrome, and Firefox (https://my.bzflag.org/db/?action=LIST) but BZFlag 2.4.22 (and 2.4.20) cannot access it, first saying that the MOTD is unavailable, then saying "Can't talk with list server" when I try to see the server lists.

I can connect if I know the server, but of course cannot authenticate, so must use an unregistered name.

I have the same problem as kbar. MacOS 10.13.6.
BZFlag 2.4.18 - 2.4.22.

On Fedora, you can issue the following command to see whether you trust ISRG Root X1:
There shouldn't be any issues on the latest versions.

My computer trusts the certificate... looks like it is some issue in the BZ Client on Mac OS.

I'll be making some changes to the certificate generation that will help with older OSX versions and other systems with older versions of OpenSSL. So there may be some outages as I work on this. I believe systems will still need to have the ISRG Root X1 root certificate in order to validate the certificate.

On my Linux I got it to work by doing:

1) update all "openssl" packages (6, including "ca-certificates-mozilla") and, after they are installed, all "openssh" ones (2);
2) download the new certificate from https://letsencrypt.org/certs/isrgrootx1.pem , rename it to "ISRG_Root_X1.pem" and copy it to /usr/share/ca-certificates/mozilla ;
3) move "DST_Root_CA_X3.pem" from it to another place but outside of /usr/share/ca-certificates ; and
4) run "update-ca-certificates".

On my non-so-new and standalone Firefox (which seems independent of the previous packages):

(translated from Spanish)
1) go to Preferences/Advanced/Certificates/See Certificates;
2) look for "DST Root CA X3", click on it, go to "Edit Confidence" and uncheck "This certificate can identify web sites"; and
3) go to "Import" and select the new downloaded certificate file (renamed), select "Open" and check "Trust on this CA to identify web sites".

Thanks allejo, blast007 and catay from IRC/chat for helping me!

I have updated the certificate generation on the main server and the download server. So older systems should be working now, as long as they have the ISRG Root X1 certificate installed.

kbar and other Mac users,

You need to install the cert mentioned above by using Import in the "Keychain Access" program.

Once you import it (preferably into System for all users), you need to click on it, go to the Trust section and select Always Trust under "when using..."

...back in the game! thx,blast!
No action required regarding the cert. The server action seemed to do the trick.