letsencrypt root / certificate validation on jessie

letsencrypt root / certificate validation on jessie

  • Written by
    Walter Doekes
  • Published on

On getting LetsEncrypt certificates to work on Debian/Jessie or Cumulus Linux 3 again.

Since last Thursday the 30th, the old LetsEncrypt certificate root stopped working at 14:01 UTC. This was a known and anticipated issue. All certificates had long been double signed by a new root that doubled as intermediate. Unfortunately, this does not mean that everything worked on older platforms with OpenSSL 1.0.1 or 1.0.2.

See this Debian/Jessie box — we see similar behaviour on Cumulux Linux 3.x:

# apt-get dist-upgrade
Reading package lists... Done
Building dependency tree
Reading state information... Done
Calculating upgrade... Done
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.

Everything is up to date.

# curl https://wctegeltje.nl
curl: (60) SSL certificate problem: certificate has expired
More details here: http://curl.haxx.se/docs/sslcerts.html

Yet the certificate is marked as expired.

Quickly check the chain on another box:

$ easycert -T wctegeltje.nl 443
Certificate chain
 0 s: [bb678ac6] CN = wctegeltje.nl
   i: [8d33f237] C = US, O = Let's Encrypt, CN = R3
 1 s: [8d33f237] C = US, O = Let's Encrypt, CN = R3
   i: [4042bcee] C = US, O = Internet Security Research Group, CN = ISRG Root X1
 2 s: [4042bcee] C = US, O = Internet Security Research Group, CN = ISRG Root X1
   i: [2e5ac55d] O = Digital Signature Trust Co., CN = DST Root CA X3
Expires in 30 days

So yeah. The root-most part here has expired, but the intermediate-root-double has not. See these:

# openssl x509 -in /etc/ssl/certs/2e5ac55d.0 -enddate -noout
notAfter=Sep 30 14:01:15 2021 GMT
# openssl x509 -in /etc/ssl/certs/4042bcee.0 -enddate -noout
notAfter=Jun  4 11:04:38 2035 GMT

How do we fix this? Easy. Just clear out the expired root:

# mv /usr/share/ca-certificates/mozilla/DST_Root_CA_X3.crt{,.old}
# sed -i -e 's#^mozilla/DST_Root_CA_X3.crt#!&#' /etc/ca-certificates.conf
# update-ca-certificates
Updating certificates in /etc/ssl/certs... 0 added, 1 removed; done.
Running hooks in /etc/ca-certificates/update.d....done.

(That last step removes /etc/ssl/certs/2e5ac55d.0 which is a symlink to DST_Root_CA_X3.pem.)

# curl https://wctegeltje.nl
<!DOCTYPE html>

Back to overview Newer post: zpool import / no pools / stale zdb labels Older post: umount -l / needs --make-slave