Koozali.org: home of the SME Server

Letsencrypt openssl DST Root CA X3 expiration

Offline ReetP

  • *
  • 3,722
  • +5/-0
Letsencrypt openssl DST Root CA X3 expiration
« on: October 02, 2021, 07:46:12 PM »
An FYI.

If you are on Koozali v10 then you should not be affected by this. Your certificates and chains will have been upgraded - might need some updates and flush things out but you will be fine.

If you haven't upgraded (and I am one that has some outstanding because I need some contribs that I haven't finished hacking yet due to the pandemic) then you may find all sorts of odd things start happening. Or don't happen at all.

The joke is that they say it only affects a handful of users. There's a lot of forum posts... just sayin'.......

These posts refer:

https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/

https://community.letsencrypt.org/t/openssl-client-compatibility-changes-for-let-s-encrypt-certificates

https://community.letsencrypt.org/t/rhel-centos-6-openssl-client-compatibility-after-dst-root-ca-x3-expiration

https://letsencrypt.org/docs/certificate-compatibility/

https://letsencrypt.org/2020/11/06/own-two-feet.html

(Note they have set a cutoff at Android 7.x as that means 66% or so covered. Which means they are also cutting off 33%, who are using older devices and are therefore probably in underprivileged areas)

I have managed to follow the instructions on how to build some updated openssl & ca-cert rpms which resolves some of the issues on CentOS 6 v9.

However, don't ask me for them. I have no idea how secure they are and as a result I am not letting them out in the wild.

I also don't want to encourage the use of v9 - you really need to upgrade.

But suffice to say if you have had some issues then have a look at those links to understand why.

If you are smart enough to understand the problem then you will be able to build rpms - I just followed the notes in the posts. If you can't build rpms then you probably don't understand the risks and you should not be looking at this, so just upgrade.

...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline ReetP

  • *
  • 3,722
  • +5/-0
Re: Letsencrypt openssl DST Root CA X3 expiration
« Reply #1 on: October 02, 2021, 08:08:06 PM »
An example of the issue here on my update to date *buntu desktop

Code: [Select]
Err:13 https://repos.codelite.org/ubuntu bionic Release                                                                                                                                                                                     
  Certificate verification failed: The certificate is NOT trusted. The certificate chain uses expired certificate.  Could not handshake: Error in the certificate verification. [IP: 79.143.189.67 443]
E: The repository 'https://repos.codelite.org/ubuntu bionic Release' no longer has a Release file.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.

But here is the release file:

https://repos.codelite.org/ubuntu/dists/bionic/Release

You may find some PHP programs using https/ssl/tls have issues as well - I had one that appears to be struggling to make an authenticated connection to a mail server.

YMMV.
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation