Skip to content

Instantly share code, notes, and snippets.

@kujiy
Last active October 1, 2021 08:27
Show Gist options
  • Save kujiy/67ef342170c4b0a36bb4bd9615ae2916 to your computer and use it in GitHub Desktop.
Save kujiy/67ef342170c4b0a36bb4bd9615ae2916 to your computer and use it in GitHub Desktop.
Let's Encrypt DST Root CA X3 Expiration: Work Around 1
# cleanup
mv /etc/pki/ca-trust/source/blacklist/* /tmp
mv /etc/pki/ca-trust/source/anchors/* /tmp
# fix the issue
cd /etc/pki/ca-trust/source/blacklist
wget -O dst.pem https://crt.sh/?d=0687260331A72403D909F105E69BCF0D32E1BD2493FFC6D9206D11BCD6770739
cd /etc/pki/ca-trust/source/anchors
wget --no-check-certificate https://letsencrypt.org/certs/isrgrootx1.pem
update-ca-trust
DOMAIN=$YOUR_DOMAIN
openssl s_client -connect $DOMAIN:443 -servername $DOMAIN | grep verify
@kujiy
Copy link
Author

kujiy commented Oct 1, 2021

DESIRED STATE

Files

$ ls -al /etc/pki/ca-trust/source/blacklist
-rw-r--r--  1 root root 1200 Oct  1 16:48 dst.pem

$ ls -al /etc/pki/ca-trust/source/anchors
-rw-r--r--  1 root root 1939 Oct  1 16:45 isrgrootx1.pem

Trust stores

$ trust list | grep -C3 ISRG | grep trust
pkcs11:id=%79%b4%59%e6%7b%b6%e5%e4%01%73%80%08%88%c8%1a%58%f6%e9%9b%6e;type=cert
    type: certificate
    label: ISRG Root X1
    trust: anchor
    category: authority

$ trust list | grep -C3 DST
pkcs11:id=%c4%a7%b1%a4%7b%2c%71%fa%db%e1%4b%90%75%ff%c4%15%60%85%89%10;type=cert
    type: certificate
    label: DST Root CA X3
    trust: blacklisted
    category: authority

@kujiy
Copy link
Author

kujiy commented Oct 1, 2021

Reference

Workaround 1 (on clients with OpenSSL 1.0.2)
Just remove the expired root certificate (DST Root CA X3) from the trust store used by the OpenSSL 1.0.2 TLS client to verify the identity of TLS servers. If the new ISRG Root X1 self-signed > certificate isn’t already in the trust store, add it.

There is no downside to this workaround apart from the need to modify all the potential OpenSSL 1.0.2 TLS client hosts trust stores.
The removal and addition of certificates from/into the system certificate trust stores is a highly specific operation depending on the operation system. For example, on Linux based systems which manage system certificate trust stores with the ca-certificates tool, a CA certificate can be removed by first copying the certificate into /etc/pki/ca-trust/source/blacklist directory and added > by copying into the /etc/pki/ca-trust/source/anchors directory. The trust store is then updated by running the update-ca-trust command.
https://www.openssl.org/blog/blog/2021/09/13/LetsEncryptRootCertExpire/

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment