Re: Certificate Expiration Event September 2021

[Ian Kelling]

Ian Kelling <iank@fsf.org> writes:

> Bob Proulx <INVALID.NOREPLY@gnu.org> writes:
>
>> On September 30, 2021, as planned the DST Root CA X3 cross-sign has expired
>> for the Let's Encrypt trust chain.  That was a normal and planned event. 
>> However coupled with a verification error in the code of libraries
>> authenticating certificates it caused some clients that have not been updated
>> to fixed versions to have problems validating certificates.
>>
>> If you are experiencing invalid certificate chain problems with Let's Encrypt
>> certificates (not a Savannah problem) then please upgrade your client to the
>> latest security patches for your system.  Please reference these resources as
>> to upstream information and discussion about the issue.
>>
>> * https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/
>> * https://community.letsencrypt.org/t/production-chain-changes/150739/4
>> * https://letsencrypt.org/docs/certificate-compatibility/
>> * https://letsencrypt.org/certificates/
>> * https://www.openssl.org/blog/blog/2021/09/13/LetsEncryptRootCertExpire/
>>
>>
>> _______________________________________________
>>   Message sent via Savannah
>>   https://savannah.nongnu.org/
>
> With a little googling, seems like this is the way to remove the expired
> root cert on trisquel 8, suggested from
> https://www.openssl.org/blog/blog/2021/09/13/LetsEncryptRootCertExpire/
>
> sudo sed -i"" 's/mozilla\/DST_Root_CA_X3.crt/!mozilla\/DST_Root_CA_X3.crt/' 
> /etc/ca-certificates.conf
> sudo dpkg-reconfigure -fnoninteractive ca-certificates
> sudo update-ca-certificates

Just a stylistic changes below. The site I copied from
(https://jay.gooby.org/2021/09/30/remove-the-dst-root-ca-x3-crt-from-ubuntu-14-04-lts)
had some ugly syntax going on.


sudo sed -i 's,mozilla/DST_Root_CA_X3.crt,!mozilla/DST_Root_CA_X3.crt,' 
/etc/ca-certificates.conf
sudo dpkg-reconfigure -fnoninteractive ca-certificates
sudo update-ca-certificates