debian - How to force older debian to forget about DST Root CA X3 Expiration and use ISRG Root X1 - SSL certificate problem: certificate has expired
问题描述
This relates to DST Root CA X3 Expiration (September 2021)
When searching online for a fix to apply on an older server (Debian 8 in my case) that does call to sites encrypted with letsencrypt with curl
, they now seem to fail with the following message:
Example:
curl -fsSL https://deb.nodesource.com/setup_14.x | bash -
Fails silently, then trying it manually and removing the silent flag and bash pipe like this:
curl -L https://deb.nodesource.com/setup_14.x
curl: (60) SSL certificate problem: certificate has expired
More details here: http://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
Trying the following commands doesn't solve the issue:
apt update
apt install -y ca-certificates openssl
update-ca-certificates
What can I do!? (answering my own question) ⬇️
解决方案
disclaimer; I'm no security expert (I know things, but you do you). Make sure you understand what you do before applying whatever fix shared here
Fix by upgrading your instances
Upgrade your instances. This problem won't happen on debian 9 or higher.
In the following example, I had this problem on a ruby:2.4.1
docker image which is based on Debian 8 (could be considered old). Upgrading to more recent docker image fixes this issue. Uprading to a more recent Debian version should also fix the issue.
I confirmed it does not happen when using ruby:2.7.0
docker image based on Debian 11 as shown here:
docker run --rm -it ruby:2.7.4 bash -c "cat /etc/issue"
Debian GNU/Linux 11 \n \l
Fix for Debian 8 by commenting DST_Root_CA_X3.crt from /etc/ca-certificates.conf
Even if ISRG Root X1 is in place, if DST Root CA X3 is still present and in use, its verification seems to happen first so we can get rid of it by doing this:
- install
ca-certificates
package - comment
/mozilla/DST_Root_CA_X3.crt
from/etc/ca-certificates.conf
- make sure
/usr/share/ca-certificates/mozilla/ISRG_Root_X1.crt
is there (it should be) - update ca-certificates with
update-ca-certificates
Example directly on your instance
cat /etc/issue
Debian GNU/Linux 8 \n \l
sudo apt install -y ca-certificates
sudo sed -i '/^mozilla\/DST_Root_CA_X3.crt$/ s/^/!/' /etc/ca-certificates.conf
sudo update-ca-certificates
Example Dockerfile
:
FROM ruby:2.4.1 # uses debian 8
RUN apt update -qq \
&& apt install -y ca-certificates \
&& sed -i '/^mozilla\/DST_Root_CA_X3.crt$/ s/^/!/' /etc/ca-certificates.conf \
&& update-ca-certificates \
&& rm -rf /var/lib/apt/lists/*
Fix using dpkg-reconfigure ca-certificates
As stated in the comments, you can also fix this interactively using the following command on the instance (requires ca-certificates
package installed):
dpkg-reconfigure ca-certificates
Then disable mozilla/DST_Root_CA_X3.crt
from the list.
Conclusion
If you'd like to learn more, you should read Scott Helme's post: Let's Encrypt's Root Certificate is expiring!
You can now curl
letsencrypt sites safely with these safety glasses:
推荐阅读
- proxy - 无法生成合约字节码和 ABI。我已经填写了构造函数参数 ABI 编码
- angular - 如何在 Angular 12 中忽略实时重新加载的目录
- c# - 如何引用尚未初始化的变量?
- python - 熊猫数据框中的划分
- jmeter - 仅与“吞吐量整形计时器”的一个采样器相关的示例在 Jmeter 中并没有给出太多想法
- nullpointerexception - Eclipse RCP 应用程序无法在 MacOS 上运行
- android - Microsoft Teams - Android 版本 - Deeplink 无法正常工作
- angular - switchMap 函数不执行其中的代码
- sql - 使用滞后功能删除基于微小差异的重复数据行
- python - 有人可以解释一下字符串的索引如何与 python 一起工作吗