[Outages-discussion] [EXTERNAL] Re: [outages] SSL rollover - Let's Encrypt etc

Sun Oct 10 17:33:24 EDT 2021

Some applications will ignore the expired root cert, but others will need some help.

The problematic cert is DST Root CA X3.  Its replacement is ISRG Root X1.

I filed an issue on the github repo for one developer’s app.  For some baffling reason he still includes openssl libraries from 2015, even though other parts have been updated more recently.

For Windows users, you delete the DST X3 cert from your trusted root store.  For Mac users, one workaround is to manually edit the file /etc/ssl/cert.pem.  Here are abbreviated instructions on stackoverflow:

https://stackoverflow.com/a/69413675

The simplest fix is to delete the expired root certificate from the /etc/ssl/cert.pem file, assuming its replacement already exists in the file. This is enough to fix the expired DST Root CA X3, because its replacement, ISRG Root X1 already exists in the /etc/ssl/cert.pem file. Delete all lines from ### Digital Signature Trust Co. to -----END CERTIFICATE-----

—Sent from my iPhone

On Oct 10, 2021, at 1:55 PM, James Lawrie via Outages <outages at outages.org> wrote:

It’s worth noting as well that this affects openssl 1.0.1 even if they have the new root cert.

So curl on Debian 8, Debian 9, OSX 10.14.6 etc. will report SSL certificate expired.

Browsers there will work, but APIs might fail.

I wrote about it a little here with a (per-server) workaround: https://urldefense.com/v3/__https://silvermou.se/letsencrypt-60-ssl-certificate-problem-certificate-has-expired/__;!!PIZeeW5wscynRQ!4hIh2VR23PPROuXErYOeLIavk-e56ShODjyZgDSKYSI6xdVY69pjkAK_tSlrCVm_iw$
On 10 Oct 2021, at 16:52, Jay R. Ashworth via Outages wrote:

I meant to post this when it happened, and I think I forgot.  :-}

The SSL Root cert that underlies Let's Encrypt's root expired on 30-Sept,
and the new root that underlies it is not in the Root Certificate Package of
some still pretty widely deployed OS versions, including OS/X <10.12.1.

Lots of people are getting their certs from Let's these days, including
Wikipedia.

So if you've gotten any reports from the field that people can't access
{websites,your websites} it's worth looking into whether this is why.

Tier 2/3 detail: https://urldefense.com/v3/__https://scotthelme.co.uk/lets-encrypt-old-root-expiration/__;!!PIZeeW5wscynRQ!4hIh2VR23PPROuXErYOeLIavk-e56ShODjyZgDSKYSI6xdVY69pjkAK_tSl-1tpe_w$
Cheers,
-- jra

Replies, as always, to -discuss

--
Jay R. Ashworth                  Baylink                       jra at baylink.com
Designer                     The Things I Think                       RFC 2100
Ashworth & Associates       https://urldefense.com/v3/__http://www.bcp38.info__;!!PIZeeW5wscynRQ!4hIh2VR23PPROuXErYOeLIavk-e56ShODjyZgDSKYSI6xdVY69pjkAK_tSkwqRCMgg$           2000 Land Rover DII
St Petersburg FL USA      BCP38: Ask For It By Name!           +1 727 647 1274
_______________________________________________
Outages mailing list
Outages at outages.org
https://urldefense.com/v3/__https://puck.nether.net/mailman/listinfo/outages__;!!PIZeeW5wscynRQ!4hIh2VR23PPROuXErYOeLIavk-e56ShODjyZgDSKYSI6xdVY69pjkAK_tSnHOP-hNQ$
_______________________________________________
Outages mailing list
Outages at outages.org
https://urldefense.com/v3/__https://puck.nether.net/mailman/listinfo/outages__;!!PIZeeW5wscynRQ!4hIh2VR23PPROuXErYOeLIavk-e56ShODjyZgDSKYSI6xdVY69pjkAK_tSnHOP-hNQ$
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/outages-discussion/attachments/20211010/cc9e2e39/attachment-0001.htm>