The termination of the IdenTrust root certificate (DST Root CA X3) used to cross-sign the Let’s Encrypt CA root certificate resulted in problems with Let’s Encrypt certificate validation in projects using older versions of OpenSSL and GnuTLS. Problems also affected the LibreSSL library, the developers of whichpast experience related to failures that occurred after the AddTrust root certificate of the Sectigo (Comodo) certification authority expired.
Recall that in releases of OpenSSL up to and including the 1.0.2 branch and in GnuTLS before release, there was an error that did not allow the correct processing of cross-signed certificates, if one of the root certificates used for signing expired, even if other valid ones were saved. chains of trust (in the case of Let’s Encrypt, the aging of the IdenTrust root certificate does not allow verification, even if the system supports its own Let’s Encrypt root certificate valid until 2030). The essence of the error is that older versions of OpenSSL and GnuTLS parsed the certificate as a linear chain, while according to RFC 4158, a certificate can represent a directed distributed circular graph with several trust anchors that need to be considered.
As a workaround, it is suggested to delete the “DST Root CA X3” certificate from the system store (/etc/ca-certificates.conf and / etc / ssl / certs), and then run the command “update-ca-certificates -f -v “). On CentOS and RHEL, you can add the “DST Root CA X3” certificate to the blacklist:
trust dump --filter "pkcs11:id=%c4%a7%b1%a4%7b%2c%71%fa%db%e1%4b%90%75%ff%c4%15%60%85%89%10" | openssl x509 | sudo tee /etc/pki/ca-trust/source/blacklist/DST-Root-CA-X3.pem sudo update-ca-trust extract
Some of the glitches that occurred after the IdenTrust root certificate was terminated:
- The syspatch utility used to install binary system updates has stopped working in OpenBSD. The OpenBSD project patches for branches and , problems in LibreSSL with checking cross-signed certificates, one of the root certificates in the trust chain has expired. As a workaround, to switch from HTTPS to HTTP in / etc / installurl (this does not threaten security, since updates are additionally verified by a digital signature) or select an alternative mirror (ftp.usa.openbsd.org, ftp.hostserver.de, cdn.openbsd.org). You can also remove the expired DST Root CA X3 certificate from the /etc/ssl/cert.pem file.
- The DragonFly BSD similar problems when working with DPorts. When starting the pkg package manager, a certificate validation error is thrown. Fix to branches master, DragonFly_RELEASE_6_0 and DragonFly_RELEASE_5_8. As a workaround, you can remove the DST Root CA X3 certificate.
- process of checking Let’s Encrypt certificates in applications based on the Electron platform has been broken. This issue was fixed in 12.2.1, 13.5.1, 14.1.0, 15.1.0.
- Some distributions have accessing package repositories when using the APT package manager bundled with versions of the GnuTLS library. The problem turned out to be Debian 9, which used an unpatched GnuTLS package, resulting in problems accessing deb.debian.org. It is recommended to remove DST_Root_CA_X3.crt from the /etc/ca-certificates.conf file as a workaround.
- The acme-client was broken in the distribution for creating OPNsense firewalls, the problem was reported in advance, but the developers release the patch in time.
- The problem the OpenSSL 1.0.2k package in RHEL / CentOS 7. A week ago, an update for the ca-certificates-2021.2.50-72.el7_9.noarch package was generated for RHEL 7 and CentOS 7, from which the IdenTrust certificate was removed. A similar update has been posted in advance for , . Let’s Encrypt certificate verification issue can affect RHEL / CentOS and Ubuntu users who do not install updates regularly.
- process of checking certificates in grpc is broken.
- while building the platform .
- Amazon Web Services (AWS) .
- DigitalOcean users have connecting to the database.
- in cloud Netlify platform.
- accessing Xero services.
- attempt to establish a TLS connection to the MailGun Web API failed.
- in macOS and iOS versions (11, 13, 14) that the theoretical problem should not have affected.
- in Catchpoint services.
- checking certificates when accessing the PostMan API.
- Guardian Firewall crashed.
- monday.com support page.
- in the Cerb platform.
- to check uptime in Google Cloud Monitoring.
- with certificate validation in Cisco Umbrella Secure Web Gateway.
- connecting to Bluecoat and Palo Alto proxies.
- OVHcloud is trouble connecting to the OpenStack API.
- with generating reports in Shopify.
- when accessing the Heroku API.
- in Ledger Live Manager.
- Certificate validation in Facebook App Developer Tools.
- in Sophos SG UTM.
- with verifying certificates in cPanel.