Welcome to Centmin Mod Community
Become a Member

SSL Letsencrypt Letsencrypt-dst-root-ca workaround issues

Discussion in 'Domains, DNS, Email & SSL Certificates' started by David Coate, Sep 25, 2021.

  1. David Coate

    David Coate Premium Member Premium Member

    9
    2
    3
    Jun 20, 2020
    Pensacola, Florida, US
    Ratings:
    +6
    Local Time:
    12:28 AM
    Regarding the post on letsencrypt-dst-root-ca-x3-expiration-september-30-2021-workaround-on-centos-7-x...

    I have 3 linodes with centminmod 123.09beta01 instances. On 1, the workaround fixed the issue, on the other 2, I receive the following when starting centmin.sh
    Code:
    Update workaround to blacklist expiring Letsencrypt DST Root CA X3 certificate...
    
    https://community.centminmod.com/threads/21965/
    
    
    unable to load certificate
    
    140575175718800:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:707:Expecting: TRUSTED CERTIFICATE
    
    Diff check file at /root/tools/backup-ca-certs/diff-ca-bundle.crt.diff
    
    
    Check to see if DST Root CA X3 is blacklisted
    
    trust list | grep -C3 'DST Root CA X3' | grep -B1 'blacklisted'
    
    Running cmupdate yields "No local changes to save Already up-to-date."

    I tried the instructions at the bottom of the post using the YUM update procedure but still get the same results... the DST Root CA X3 does not show as blacklisted.

    Both of these linodes run Wordpress and this is affecting logins.

    I'm not sure what to look for.

     
  2. eva2000

    eva2000 Administrator Staff Member

    47,292
    10,703
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +16,628
    Local Time:
    3:28 PM
    Nginx 1.19.x
    MariaDB 5.5/10.x
    what's contents of /root/tools/backup-ca-certs/diff-ca-bundle.crt.diff on the servers with that error?

    output for
    Code (Text):
    cat /root/tools/backup-ca-certs/diff-ca-bundle.crt.diff
    

    and output for command
    Code (Text):
    trust dump --filter "pkcs11:id=%c4%a7%b1%a4%7b%2c%71%fa%db%e1%4b%90%75%ff%c4%15%60%85%89%10" | openssl x509

    and output for command
    Code (Text):
    openssl x509 -in /etc/pki/ca-trust/source/blacklist/DST-Root-CA-X3.pem -noout -text
    

    and output for command
    Code (Text):
    trust list | grep -C3 'DST Root CA X3' | grep -B1 'blacklisted'

    and output for command
    Code (Text):
    trust list | grep -C3 'DST Root CA X3'

    and output for command
    Code (Text):
    grep -A23 -i 'DST Root CA X3' /etc/pki/tls/certs/ca-bundle.trust.crt

    I suspect for the previous 5 commands the issue might be that update yum ca-certificates actually removed the DST Root X3 certificate so those commands can't find the cert

    and output for command
    Code (Text):
    yum history list ca-certificates

    for posting code or output from commands to keep the formatting, you might want to use CODE tags for code How to use forum BBCODE code tags :)
     
    Last edited: Sep 25, 2021
  3. eva2000

    eva2000 Administrator Staff Member

    47,292
    10,703
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +16,628
    Local Time:
    3:28 PM
    Nginx 1.19.x
    MariaDB 5.5/10.x