The termination of the IdenTrust root certificate (DST Root CA X3) used to cross-sign the Let’s Encrypt CA root certificate resulted in problems with Let’s Encrypt certificate validation in projects using older versions of OpenSSL and GnuTLS. Problems also affected the LibreSSL library, the developers of which did not take into account past experience related to failures that occurred after the AddTrust root certificate of the Sectigo (Comodo) certification authority expired.
Recall that in releases of OpenSSL up to and including the 1.0.2 branch and in GnuTLS before release 3.6.14 , there was an error that did not allow the correct processing of cross-signed certificates, if one of the root certificates used for signing expired, even if other valid ones were saved. chains of trust (in the case of Let’s Encrypt, the aging of the IdenTrust root certificate does not allow verification, even if the system supports its own Let’s Encrypt root certificate valid until 2030). The essence of the error is that older versions of OpenSSL and GnuTLS parsed the certificate as a linear chain, while according to RFC 4158, a certificate can represent a directed distributed circular graph with several trust anchors that need to be considered.
As a workaround, it is suggested to delete the “DST Root CA X3” certificate from the system store (/etc/ca-certificates.conf and / etc / ssl / certs), and then run the command “update-ca-certificates -f -v “). On CentOS and RHEL, you can add the “DST Root CA X3” certificate to the blacklist:
trust dump --filter "pkcs11:id=%c4%a7%b1%a4%7b%2c%71%fa%db%e1%4b%90%75%ff%c4%15%60%85%89%10" | openssl x509 | sudo tee /etc/pki/ca-trust/source/blacklist/DST-Root-CA-X3.pem sudo update-ca-trust extract
Some of the glitches that occurred after the IdenTrust root certificate was terminated:
- The syspatch utility used to install binary system updates has stopped working in OpenBSD. The OpenBSD project has released patches for branches 6.8 and 6.9 , which fix problems in LibreSSL with checking cross-signed certificates, one of the root certificates in the trust chain has expired. As a workaround, it is recommended to switch from HTTPS to HTTP in / etc / installurl (this does not threaten security, since updates are additionally verified by a digital signature) or select an alternative mirror (ftp.usa.openbsd.org, ftp.hostserver.de, cdn.openbsd.org). You can also remove the expired DST Root CA X3 certificate from the /etc/ssl/cert.pem file.
- The DragonFly BSD similar problems occur when working with DPorts. When starting the pkg package manager, a certificate validation error is thrown. Fix added to branches master, DragonFly_RELEASE_6_0 and DragonFly_RELEASE_5_8. As a workaround, you can remove the DST Root CA X3 certificate.
- The process of checking Let’s Encrypt certificates in applications based on the Electron platform has been broken. This issue was fixed in updates 12.2.1, 13.5.1, 14.1.0, 15.1.0.
- Some distributions have problems accessing package repositories when using the APT package manager bundled with older versions of the GnuTLS library. The problem turned out to be affected by Debian 9, which used an unpatched GnuTLS package, resulting in problems accessing deb.debian.org. It is recommended to remove DST_Root_CA_X3.crt from the /etc/ca-certificates.conf file as a workaround.
- The acme-client was broken in the distribution for creating OPNsense firewalls, the problem was reported in advance, but the developers did not manage to release the patch in time.
- The problem affected the OpenSSL 1.0.2k package in RHEL / CentOS 7. A week ago, an update for the ca-certificates-2021.2.50-72.el7_9.noarch package was generated for RHEL 7 and CentOS 7, from which the IdenTrust certificate was removed. A similar update has been posted in advance for Ubuntu 16.04, Ubuntu 14.04 , Ubuntu 21.04, Ubuntu 20.04, and Ubuntu 18.04 . Let’s Encrypt certificate verification issue can affect RHEL / CentOS and Ubuntu users who do not install updates regularly.
- The process of checking certificates in grpc is broken.
- Crash while building the platform Cloudflare Pages .
- issues Amazon Web Services (AWS) .
- problems DigitalOcean users have connecting to the database.
- Failure in the cloud Netlify platform.
- Problems accessing Xero services.
- An attempt to establish a TLS connection to the MailGun Web API failed.
- Crashes in macOS and iOS versions (11, 13, 14) that the theoretical problem should not have affected.
- Crashing in Catchpoint services.
- Error checking certificates when accessing the PostMan API.
- The Guardian Firewall crashed.
- Disruption to the monday.com support page.
- Crash in the Cerb platform.
- Failure to check uptime in Google Cloud Monitoring.
- Issue with certificate validation in Cisco Umbrella Secure Web Gateway.
- Problems connecting to Bluecoat and Palo Alto proxies.
- OVHcloud is having trouble connecting to the OpenStack API.
- Problems with generating reports in Shopify.
- There are problems when accessing the Heroku API.
- Crash in Ledger Live Manager.
- error Certificate validation in Facebook App Developer Tools.
- Problems in Sophos SG UTM.
- Problems with verifying certificates in cPanel.