[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [lmi] savannah.gnu.org certificate expiration
From: |
Vadim Zeitlin |
Subject: |
Re: [lmi] savannah.gnu.org certificate expiration |
Date: |
Fri, 29 Oct 2021 02:10:14 +0200 |
On Fri, 29 Oct 2021 00:02:25 +0000 Greg Chicares <gchicares@sbcglobal.net>
wrote:
GC> https://savannah.nongnu.org/forum/forum.php?forum_id=10054
GC>
GC> | On September 30, 2021, as planned the DST Root CA X3 cross-sign has
GC> | expired for the Let's Encrypt trust chain. That was a normal and
GC> | planned event. However coupled with a verification error in the code
GC> | of libraries authenticating certificates it caused some clients that
GC> | have not been updated to fixed versions to have problems validating
GC> | certificates.
GC> |
GC> | If you are experiencing invalid certificate chain problems with Let's
GC> | Encrypt certificates (not a Savannah problem) then please upgrade
GC> | your client to the latest security patches for your system.
GC>
GC> That seemed worth mentioning in general.
Yes, it broke quite a few things, even though it was supposed to not
affect almost anybody.
GC> In particular, it happens to matter for our corporate redhat server:
Probably because it uses OpenSSL 1.0 when 1.1 is required to use the new
certificate.
GC> I could probably figure out how to update the server's certificates,
GC> but the corporate overseers might look askance at that.
I don't think you could, it's Savannah certificate which matters and you
don't have access to them (unless you're working as a Savannah
administrator incognito). You could try one of the other workarounds from
https://www.openssl.org/blog/blog/2021/09/13/LetsEncryptRootCertExpire/
but unfortunately the best one of them (#3) must also be done server-side
(this is what I did for the servers that still need to support RedHat 6
clients).
Sorry if this doesn't really help,
VZ
pgp2DacloGn1h.pgp
Description: PGP signature