I suspect it is because Let’s encrypt invalidated their old CA chain today. The remote server already supports the new chain, but maybe the CA certificate for this is not available to SWIs SSL lib.
I use currently use SWI with Ubuntu 16.04 LTS:
# swipl --version
SWI-Prolog version 8.2.4 for x86_64-linux
# lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 16.04.7 LTS
Release: 16.04
Codename: xenial
Not sure how to fix the problem. Is the problem in the SSL lib from SWI or from Ubuntu? The server itself provides the new certificate chain, so it should be installed fine on OS side.
Mhm, seems it is in the OpenSSL lib, I found this information now:
“if clients of your API are using OpenSSL, they must use version 1.1.0 or later. In OpenSSL 1.0.x, a quirk in certificate verification means that even clients that trust ISRG Root X1 will fail”
Yeah I see, I’m on my way. During 5 years a lot of configuration effort went into the server. Happily I protocolled everything - but it still quite some work. I think I have to dockerize this so I can replay it anytime
16.04 reached end-of-life unless you buy an extended support contract from Canonical. Upgrading is probably wise As a quick hack though you might get away with getting the ca-certificates package from a later release … Don’t blame me if something goes wrong
In place upgrades may work as well, first to 18.04 and than to 20.04.
thanks for your hints. Unfortunately they don’t support dist-upgrade on a V-Server. So I rely on backup of /home+/etc, install 20.04+packages and then diff+merge /etc back piece by piece
Meanwhile I made decent progress: Prolog + SSL working now. Only postfix+SASL causes headaches every time I have to reinstall it on some server …
