letsencrypt root / certificate validation on jessie
On getting LetsEncrypt certificates to work on Debian/Jessie or Cumulus Linux 3 again.
Since last Thursday the 30th, the old LetsEncrypt certificate root stopped working at 14:01 UTC. This was a known and anticipated issue. All certificates had long been double signed by a new root that doubled as intermediate. Unfortunately, this does not mean that everything worked on older platforms with OpenSSL 1.0.1 or 1.0.2.
See this Debian/Jessie box — we see similar behaviour on Cumulux Linux 3.x:
# apt-get dist-upgrade
Reading package lists... Done
Building dependency tree
Reading state information... Done
Calculating upgrade... Done
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
Everything is up to date.
# curl https://wctegeltje.nl
curl: (60) SSL certificate problem: certificate has expired
More details here: http://curl.haxx.se/docs/sslcerts.html
Yet the certificate is marked as expired.
Quickly check the chain on another box:
$ easycert -T wctegeltje.nl 443
Certificate chain
0 s: [bb678ac6] CN = wctegeltje.nl
i: [8d33f237] C = US, O = Let's Encrypt, CN = R3
1 s: [8d33f237] C = US, O = Let's Encrypt, CN = R3
i: [4042bcee] C = US, O = Internet Security Research Group, CN = ISRG Root X1
2 s: [4042bcee] C = US, O = Internet Security Research Group, CN = ISRG Root X1
i: [2e5ac55d] O = Digital Signature Trust Co., CN = DST Root CA X3
---
Expires in 30 days
So yeah. The root-most part here has expired, but the intermediate-root-double has not. See these:
# openssl x509 -in /etc/ssl/certs/2e5ac55d.0 -enddate -noout
notAfter=Sep 30 14:01:15 2021 GMT
# openssl x509 -in /etc/ssl/certs/4042bcee.0 -enddate -noout
notAfter=Jun 4 11:04:38 2035 GMT
How do we fix this? Easy. Just clear out the expired root:
# mv /usr/share/ca-certificates/mozilla/DST_Root_CA_X3.crt{,.old}
# sed -i -e 's#^mozilla/DST_Root_CA_X3.crt#!&#' /etc/ca-certificates.conf
# update-ca-certificates
Updating certificates in /etc/ssl/certs... 0 added, 1 removed; done.
Running hooks in /etc/ca-certificates/update.d....done.
(That last step removes /etc/ssl/certs/2e5ac55d.0 which is a symlink
to DST_Root_CA_X3.pem.)
# curl https://wctegeltje.nl
<!DOCTYPE html>
...