<html><head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body text="#000000" bgcolor="#f0f0f0">
<font face="Consolas"><br>
<font color="red">Oh my gosh! Thank you. I am a newbie when it
comes to certificates. I am only using tls for outbound calls. I
thought I shouldn't need a certificate when doing outbound only
[a client] but was getting some weird error. After I read your
email I simply commented out both "certificate" lines in my
configuration and it works!!!<br>
<br>
One last question. I don't need certbot at all then, right?<br>
<br>
Thanks again,<br>
Ray<br>
</font><br>
Viktor Dukhovni wrote:<br>
> On Tue, Nov 01, 2022 at 05:55:08AM -0500, Ray Crumrine wrote:<br>
><br>
>> SSL SSL_ERROR_SSL (Handshake): Level: 0 err:
<336151573> <SSL <br>
>> routines-ssl3_read_bytes-sslv3 alert certificate
expired><br>
> Is this logged by the TLS client or server? In other words
are you<br>
> running a client application making outgoing connections or a
server<br>
> application receiving incoming connections?<br>
><br>
>> but not all of the time. Only when I try to access<br>
>> us-east-va.sip.flowroute using tlsv1.2.<br>
> This sounds like "client". TLS alerts are sent by the other
end of the<br>
> connection, so if you're getting "certificate expired" alerts
from a<br>
> server, that means that your client is *sending* an expired
certificate<br>
> to the server (which must have solicited, possibly optional,
client<br>
> certificates). The server in question does send certificate
requests:<br>
><br>
> Transport Layer Security<br>
> TLSv1.2 Record Layer: Handshake Protocol: Certificate
Request (fragment)<br>
> Content Type: Handshake (22)<br>
> Version: TLS 1.2 (0x0303)<br>
> Length: 16384<br>
> Handshake Protocol: Certificate Request
(fragment)<br>
> ...<br>
><br>
>> I have tried two other sites using the same configuration
and they work <br>
>> fine. Is there a simple configuration change or do I need
Openssl v3.0?<br>
> The other sites presumably don't solicit client
certificates. The<br>
> simplest choice is to not configure a client certificate
unless you're<br>
> sure you're going to need one.<br>
><br>
>> Checking with <br>
>>
<a class="moz-txt-link-freetext" href="https://decoder.link/sslchecker/us-east-va.sip.flowroute.com/5061">https://decoder.link/sslchecker/us-east-va.sip.flowroute.com/5061</a>
<br>
>> everything checks fine???<br>
> The probe does not send expired client certs.<br>
><br>
<br>
<br>
</font>
</body>
</html>