Opened 3 years ago

Closed 3 years ago

#63809 closed defect (fixed)

Remove expired root certificate from Let's Encrypt certificates on Braeburn and ports.macports.org

Reported by: ryandesign (Ryan Carsten Schmidt) Owned by: admin@…
Priority: Normal Milestone:
Component: server/hosting Version:
Keywords: Cc: arjunsalyan (Arjun Salyan)
Port:

Description

Please edit the fullchain.pem file for each live Let's Encrypt SSL certificate on Braeburn to remove the third (expired DST Root CA X3) certificate.

Also add the flag --preferred-chain "ISRG Root X1" to the certbot invocation that renews each certificate so that future certificate renewals not put back that expired root.

This will fix this problem on Mojave and other older macOS versions:

$ dig +short www.macports.org
braeburn.macports.org.
136.243.18.213
$ /usr/bin/curl -I https://www.macports.org
curl: (60) SSL certificate problem: certificate has expired
More details here: https://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). If the default
 bundle file isn't adequate, you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.
HTTPS-proxy has similar options --proxy-cacert and --proxy-insecure.

Compare with build.macports.org where I've already made those changes:

$ /usr/bin/curl -I https://build.macports.org
HTTP/2 200
server: nginx/1.21.3
date: Fri, 05 Nov 2021 10:35:57 GMT
content-type: text/html; charset=utf-8
content-length: 2805
vary: Accept-Encoding
strict-transport-security: max-age=15768000

See ProblemHotlist#letsencrypt for more info.

Change History (7)

comment:1 Changed 3 years ago by mojca (Mojca Miklavec)

Cc: arjunsalyan added

Probably the same change is needed on ports.macports.org as well?

comment:2 Changed 3 years ago by ryandesign (Ryan Carsten Schmidt)

Yes please.

comment:3 Changed 3 years ago by raimue (Rainer Müller)

I have updated all certificates on braeburn to only use the new preferred chain based on ISRG Root X1.

comment:4 Changed 3 years ago by ryandesign (Ryan Carsten Schmidt)

Summary: Remove expired root certificate from Braeburn's Let's Encrypt certificatesRemove expired root certificate from Let's Encrypt certificates on Braeburn and ports.macports.org

Arjun, can we make this change on ports.macports.org too?

comment:5 Changed 3 years ago by arjunsalyan (Arjun Salyan)

Done and updated the preferred chain, thanks!

comment:6 Changed 3 years ago by mojca (Mojca Miklavec)

Thank you, Arjun.

comment:7 Changed 3 years ago by ryandesign (Ryan Carsten Schmidt)

Resolution: fixed
Status: newclosed
Note: See TracTickets for help on using tickets.