/ Register

Join the community today
Become a Member

SSL Letsencrypt Letsencrypt-dst-root-ca workaround issues

Discussion in 'Domains, DNS, Email & SSL Certificates' started by David Coate, Sep 25, 2021.

Previous Thread Next Thread
Loading...
  1. Sep 25, 2021 #1
    David Coate

    David Coate New Member

    9
    2
    3
    Jun 20, 2020
    Pensacola, Florida, US
    Ratings:
    +6
    Local Time:
    7:50 PM
    Regarding the post on letsencrypt-dst-root-ca-x3-expiration-september-30-2021-workaround-on-centos-7-x...

    I have 3 linodes with centminmod 123.09beta01 instances. On 1, the workaround fixed the issue, on the other 2, I receive the following when starting centmin.sh
    Code:
    Update workaround to blacklist expiring Letsencrypt DST Root CA X3 certificate...

https://community.centminmod.com/threads/21965/


unable to load certificate

140575175718800:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:707:Expecting: TRUSTED CERTIFICATE

Diff check file at /root/tools/backup-ca-certs/diff-ca-bundle.crt.diff


Check to see if DST Root CA X3 is blacklisted

trust list | grep -C3 'DST Root CA X3' | grep -B1 'blacklisted'
    Running cmupdate yields "No local changes to save Already up-to-date."

    I tried the instructions at the bottom of the post using the YUM update procedure but still get the same results... the DST Root CA X3 does not show as blacklisted.

    Both of these linodes run Wordpress and this is affecting logins.

    I'm not sure what to look for.
     
  2. Sep 25, 2021 #2
    eva2000

    eva2000 Administrator Staff Member

    49,766
    11,447
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +17,789
    Local Time:
    11:50 AM
    Nginx 1.21.x
    MariaDB 10.x
    what's contents of /root/tools/backup-ca-certs/diff-ca-bundle.crt.diff on the servers with that error?

    output for
    Code (Text):
    cat /root/tools/backup-ca-certs/diff-ca-bundle.crt.diff

    and output for command
    Code (Text):
    trust dump --filter "pkcs11:id=%c4%a7%b1%a4%7b%2c%71%fa%db%e1%4b%90%75%ff%c4%15%60%85%89%10" | openssl x509

    and output for command
    Code (Text):
    openssl x509 -in /etc/pki/ca-trust/source/blacklist/DST-Root-CA-X3.pem -noout -text

    and output for command
    Code (Text):
    trust list | grep -C3 'DST Root CA X3' | grep -B1 'blacklisted'

    and output for command
    Code (Text):
    trust list | grep -C3 'DST Root CA X3'

    and output for command
    Code (Text):
    grep -A23 -i 'DST Root CA X3' /etc/pki/tls/certs/ca-bundle.trust.crt

    I suspect for the previous 5 commands the issue might be that update yum ca-certificates actually removed the DST Root X3 certificate so those commands can't find the cert

    and output for command
    Code (Text):
    yum history list ca-certificates

    for posting code or output from commands to keep the formatting, you might want to use CODE tags for code How to use forum BBCODE code tags :)
     
    Last edited: Sep 25, 2021
  3. Sep 25, 2021 #3
    eva2000

    eva2000 Administrator Staff Member

    49,766
    11,447
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +17,789
    Local Time:
    11:50 AM
    Nginx 1.21.x
    MariaDB 10.x
Previous Thread Next Thread
Loading...

.