Absurd: LetsEncrypt Root Certificate

20210930

If you're currently using any Ubuntu 16.04 machines, you shouldn't be, but that aside you may not be able to curl a good number of servers around the world due to SSL/TLS failures. This is due to LetsEncrypt's root certificate having expired and a new certificate having been enabled in its place. The solution here is somewhat simple.

Specifically, make sure that you have the latest ca-certificates package installed.

Next, you need to edit /etc/ca-certificates.conf and disable this line:

mozilla/DST_Root_CA_X3.crt

by making it this line

!mozilla/DST_Root_CA_X3.crt

Then you run update-ca-certificates

This should resolve the problem for you.

If you are on another system that is having this problem, fear not. You can try the following:

wget http://security.ubuntu.com/ubuntu/pool/main/c/ca-certificates/ca-certificates_20210119~16.04.1_all.deb
ar x ca-certificates_20210119~16.04.1_all.deb
tar cf - /usr/share/ca-certificates/mozilla/ | xz -z > $HOME/certs.backup.txz
cd certs/ca-certificates-20210119~16.04.1/mozilla
cp * /usr/share/ca-certificates/mozilla/
sed -i 's#mozilla/DST_Root_CA_X3\.crt#!mozilla/DST_Root_CA_X3.crt#' /etc/ca-certificates.conf
update-ca-certificates

The Ubuntu script update-ca-certificates just places certs into /etc/ssl/certs and then concatenates those into ca-certificates.crt. If you are on a non-Ubuntu system you can do this yourself.

rm -f /usr/share/ca-certificates/mozilla/{ACEDICOM_Root.crt, AC_Raíz_Certicámara_S.A..crt, AddTrust_External_Root.crt, AddTrust_Low-Value_Services_Root.crt, AddTrust_Public_Services_Root.crt, AddTrust_Qualified_Certificates_Root.crt, ApplicationCA_-_Japanese_Government.crt, Buypass_Class_2_CA_1.crt, CA_Disig.crt, CA_Disig_Root_R1.crt, CA_WoSign_ECC_Root.crt, CNNIC_ROOT.crt, Camerfirma_Chambers_of_Commerce_Root.crt, Camerfirma_Global_Chambersign_Root.crt, Certification_Authority_of_WoSign_G2.crt, Certinomis_-_Autorité_Racine.crt, Certum_Root_CA.crt, China_Internet_Network_Information_Center_EV_Certificates_Root.crt, ComSign_CA.crt, Comodo_Secure_Services_root.crt, Comodo_Trusted_Services_root.crt, DST_ACES_CA_X6.crt, DST_Root_CA_X3.crt, EBG_Elektronik_Sertifika_Hizmet_Sağlayıcısı.crt, Equifax_Secure_CA.crt, Equifax_Secure_Global_eBusiness_CA.crt, Equifax_Secure_eBusiness_CA_1.crt, GeoTrust_Global_CA_2.crt, IGC_A.crt, Juur-SK.crt, Microsec_e-Szigno_Root_CA.crt, NetLock_Business_=Class_B=_Root.crt, NetLock_Express_=Class_C=_Root.crt, NetLock_Notary_=Class_A=_Root.crt, NetLock_Qualified_=Class_QA=_Root.crt, PSCProcert.crt, RSA_Security_2048_v3.crt, Root_CA_Generalitat_Valenciana.crt, S-TRUST_Authentication_and_Encryption_Root_CA_2005_PN.crt, S-TRUST_Universal_Root_CA.crt, Security_Communication_EV_RootCA1.crt, Sonera_Class_1_Root_CA.crt, Staat_der_Nederlanden_Root_CA.crt, StartCom_Certification_Authority.crt, StartCom_Certification_Authority_2.crt, StartCom_Certification_Authority_G2.crt, SwissSign_Platinum_CA_-_G2.crt, Swisscom_Root_CA_1.crt, Swisscom_Root_CA_2.crt, Swisscom_Root_EV_CA_2.crt, TC_TrustCenter_Class_3_CA_II.crt, TURKTRUST_Certificate_Services_Provider_Root_2007.crt, TÜBİTAK_UEKAE_Kök_Sertifika_Hizmet_Sağlayıcısı_-_Sürüm_3.crt, TÜRKTRUST_Elektronik_Sertifika_Hizmet_Sağlayıcısı_H5.crt, TÜRKTRUST_Elektronik_Sertifika_Hizmet_Sağlayıcısı_H6.crt, UTN_USERFirst_Email_Root_CA.crt, UTN_USERFirst_Hardware_Root_CA.crt, Verisign_Class_1_Public_Primary_Certification_Authority.crt, Verisign_Class_1_Public_Primary_Certification_Authority_-_G2.crt, Verisign_Class_1_Public_Primary_Certification_Authority_-_G3.crt, Verisign_Class_2_Public_Primary_Certification_Authority_-_G2.crt, Verisign_Class_2_Public_Primary_Certification_Authority_-_G3.crt, Verisign_Class_3_Public_Primary_Certification_Authority.crt, Verisign_Class_3_Public_Primary_Certification_Authority_-_G2.crt, Verisign_Class_3_Public_Primary_Certification_Authority_2.crt, Visa_eCommerce_Root.crt, WellsSecure_Public_Root_Certificate_Authority.crt, WoSign.crt, WoSign_China.crt, Certplus_Root_CA_G1.crt, Certplus_Root_CA_G2.crt, OpenTrust_Root_CA_G1.crt, OpenTrust_Root_CA_G2.crt, OpenTrust_Root_CA_G3.crt}
cat /usr/share/ca-certificates/mozilla/* > /etc/ssl/certs/ca-certificates.crt

That is using the default Ubuntu configuration with the one change listed prior.

⇠ back

© MMIX - MMXXI, absurd.wtf
Licentiam Absurdum