-
-
Save kujiy/67ef342170c4b0a36bb4bd9615ae2916 to your computer and use it in GitHub Desktop.
| # cleanup | |
| mv /etc/pki/ca-trust/source/blacklist/* /tmp | |
| mv /etc/pki/ca-trust/source/anchors/* /tmp | |
| # fix the issue | |
| cd /etc/pki/ca-trust/source/blacklist | |
| wget -O dst.pem https://crt.sh/?d=0687260331A72403D909F105E69BCF0D32E1BD2493FFC6D9206D11BCD6770739 | |
| cd /etc/pki/ca-trust/source/anchors | |
| wget --no-check-certificate https://letsencrypt.org/certs/isrgrootx1.pem | |
| update-ca-trust | |
| DOMAIN=$YOUR_DOMAIN | |
| openssl s_client -connect $DOMAIN:443 -servername $DOMAIN | grep verify |
Reference
Workaround 1 (on clients with OpenSSL 1.0.2)
Just remove the expired root certificate (DST Root CA X3) from the trust store used by the OpenSSL 1.0.2 TLS client to verify the identity of TLS servers. If the new ISRG Root X1 self-signed > certificate isn’t already in the trust store, add it.There is no downside to this workaround apart from the need to modify all the potential OpenSSL 1.0.2 TLS client hosts trust stores.
The removal and addition of certificates from/into the system certificate trust stores is a highly specific operation depending on the operation system. For example, on Linux based systems which manage system certificate trust stores with the ca-certificates tool, a CA certificate can be removed by first copying the certificate into /etc/pki/ca-trust/source/blacklist directory and added > by copying into the /etc/pki/ca-trust/source/anchors directory. The trust store is then updated by running the update-ca-trust command.
https://www.openssl.org/blog/blog/2021/09/13/LetsEncryptRootCertExpire/
DESIRED STATE
Files
Trust stores