'Certificate has expired' error for Let's Encrypt certificates (DST Root CA X3 issued)

[felipeabou]

Is there an existing issue for this?

• I have searched the existing issues

Describe the Issue

I've seen that this problem has happened before: #8589

The problem started today. Postman says the SLL certificate is expired, but it's not:

We use Letsencrypt to deal with SSL on our APIs and believe it could have something to do with this: https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/

By now, I'm using the disable “SSL certificate verification” workaround.

This problem happened with version 9.0.3 and also with version 8~, because I tried to rollback to solve it, with no luck.

Also, when using the Postman Web, the issue is not happening. It only happens with the Native App version.

Steps To Reproduce

1. Try to hit any API that uses Letsencrypt to deal with SSL certificates.

Screenshots or Videos

Postman error:

Checking the same SSL on Chromium:

Environment Information

- Operating System: Ubuntu 20.02
- Platform Type: Native App
- Postman Version: 9.0.3

Additional Context?

No response

[adamsommer]

+1

- Operating System: macOS 10.15.7
- Postman Version: 9.0.3

[numaanashraf]

Postman v8 and v9 seems to be impacted by the recent cert expiry https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/. We are investigating this now.

[numaanashraf]

As a workaround, please turn off SSL verification via Settings > General.

[amurrell]

+1

also using lets encrypt and valid certs till nov 1st - acting up today. Upgraded to latest postman version and it's still not working. Disabled ssl verification for now.

[taconi]

+1

• OS: Ubuntu 21.04
• Kernel Release: 5.11.0-37-generic
• Postman Version: 8.12.2

[idkw]

Same :

• OS : Linux Mint 20
• Kernel : 5.4.0-88-generic
• Postman : 8.11.1

[Ray-B]

+1

• OS: Big Sur 11.6
• Postman: 9.0.3

[numaanashraf]

Thanks for your patience everyone. We have identified the issue and are testing out a potential fix internally. Once we have the fix verified, we'll release a patch on our v8.x and v9.x release lines.

[trixie88]

+1
postman V: 9.0.3

[mikeamcbrien]

+1

• OS: Big Sur 11.6
• Postman: 9.0.3

[danielgelling]

Also on:

• Postman Version 8.12.1
• OS X 20.6.0 / x64

[Freyert]

The LetsEncrypt expiration is a bit confusing because the expired certificate is left in the chain for backwards compatibility purposes from what we've read on their blog.

So there are two paths for the certificates, the new shorter valid path, and the longer expired path.

That is to say the issue is likely not that the trust store is missing a certificate, but that postman is ignoring the valid certificate path.

Update:

If postman is using a version of NodeJS older than 5 years it's likely they don't have the ISRG Root X1 in the trust chain.

https://github.com/nodejs/node/blame/master/src/node_root_certs.h#L2602-L2631

If someone wants to try you can extend the built in certificates via the environment variable NODE_EXTRA_CA_CERTS nodejs/node#9139

Update 2:

I've tried manually adding the CA for ISRG Root X1 from NodeJS to no avail. It's likely a conflict in the TLS resolution paths. If you want to try yourself just copy and paste the certificate I linked here into a file ending with .pem and import it into postman as you are accustomed to.

I don't know much about Postman so maybe someone can figure out how to get more details from there or correctly configure the certificate.

[numaanashraf]

@Freyert Postman uses Electron, which has a non-standard Node + BoringSSL integration. We believe this is happening cuz boringSSL is not configured to prefer the shorter part by default. We have patched this internally and is also working on upstreaming this.

electron/electron#31213

[Freyert]

@numaanashraf thanks for the transparency! I was a bit in the dark from the older issues on what was fixed last time. Thank you all for the quick turn around :)

[felipeabou]

Thanks, guys, for the fast response!

[cfecherolle]

+1 !
OS : Big Sur 11.2.2
Postman : 9.0.3
Indeed, the problem occurs when hitting URLs from domains with Let's Encrypt certificates.

[kabadabra]

+1

• OS: Big Sur 11.6
• Postman: 9.0.3
• Let's Encrypt Certificate

&

• OS: Windows 10 21H1 Build 19043.1237
• Postman: 9.0.3
• Let's Encrypt Certificate

[karelbilek]

You don't need to keep adding +1 folks, the error is already fixed on master and will get released

[CleverHosting]

9.04 still facing the problem

[tomswinkels]

+1

macOS Big Sur 11.5
Postman 9.0.3

[numaanashraf]

The fix for this issue is available now on v9.0.5 version. If you are on Postman v9.0 and above, do 'Check for Updates' to get access to this version. Looking forward to hearing if the issue is resolved at your end.

[EDIT] If you are on Postman v8, v8.12.4 is available as well with the fix.

[goran-insby]

Wow this was fast, installed and works perfect.

[felipeabou]

Wow, you guys were really fast with this! Thank you very much!
Using version 9.0.5 and everything is working perfectly.

[cretara]

Thanks for fix, now works great in Postman v.9.0.5

[numaanashraf]

The fix is now available on both v9 & v8 release lines via v9.0.5 & v8.12.4. Closing this issue.

[drissfoo]

Still have this issue for the last version v9.0.5 for macOS Big Sur 11.4
Certificate is valid til 31 October. Seems like a random issue happening only to me and not my colleagues.

"

[nhanledev]

Postman Desktop Agent v0.3.9 is also experiencing this issue

[zhuww0236]

The fix for this issue is available now on v9.0.5 version. If you are on Postman v9.0 and above, do 'Check for Updates' to get access to this version. Looking forward to hearing if the issue is resolved at your end.

[EDIT] If you are on Postman v8, v8.12.4 is available as well with the fix.

My electron application also shows' certificate has expired '. Can you share how to solve this problem? Thank you very much

[dan-j]

I thought the same thing as @drissfoo with it not working for me but working for colleagues, but they still had "verify ssl certs" disabled.

[evpill]

I'm on Postman version 9.1.1 (Windows) and still having this issue. I had "verify ssl certs" disabled but enabled it because I'm getting similar errors when setting up webhooks from GitHub and OpenShift Container Platform and was wondering why I wasn't getting the error there. Looks like it is still a widespread issue, possibly all these services are pulling from the same source for their Trusted CAs. However, it looks like my web-browsers are the only apps that can verify certificates correctly at the moment... :( ... Fortunately (???), I can disable SSL verification with GitHub webhooks and in Postman but haven't figured out how to make OSCP less secure yet...

It looks like I may have to adjust my expectations while waiting for everyone to adjust to CST (You thought DST was hard to adjust to, Covid Savings Time has everyone in a dream-like vacation daze). I would have thought that getting certificates to work properly would have been higher on peoples' priorities.

[davidaugustus-focusmate]

Seeing the same issue on Postman version 9.0.9 (MacOS, Chrome)

[bumblefudge]

Same here,
Windows 10 x64
Postman Agent W64 v0.3.9

[vivekmittal]

+1

[superboyiii]

https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/
See here. It's a dependency issue. Please update your OS dependency to the latest, then make POST or GET to the server with DST Root CA X3

[johnathany505]

Nothing ritenow

[AmiinaAhmed]

still have the same problem
OS: Windows 10
Postman v9.4.0 is the latest version.
and it is needed to disable the SSL certificate to works (however I have a warning)

[KamilWitkowski7]

This issue happens when one of the certs in pem files is outdated.
In my case removing the outdated cert from the pem file made this issue disappear.

[AlejandroDaneri]

+1