Let's Encrypt! SSL certificates no longer accepted?
59 views
Skip to first unread message
Jeroen Koops
Sep 27, 2021, 9:41:34 AM9/27/21
to erlang-questions
A couple of days ago, three of our Ubuntu server received an unattended update in which the ca-certificates.crt file was updated.
One of the changes was the removal of the DST Root CA X3 root-certificate. This certificate is used as a root by Let's Encrypt certificates, and is almost expiring.
From what I read about the subject (https://scotthelme.co.uk/lets-encrypt-old-root-expiration/) this was planned, and the idea was that the ISRG Root X1 certificate which signs an alternate chain for Let's Encrypt certificates, will take over.
However, some trickery was applied to make the ISRG Root X1 have an extended lifetime.
What I do know, is that the Erlang SSL implementation does not seem to accept Let's Encrypt certificates anymore with { verify, verify_peer } since the update.
Fetching the same resource from the command line with, say, curl, does not cause any problems.
Has anyone else seen this issue? Is there a solution?
--
Roger Lipscombe
Sep 27, 2021, 10:00:43 AM9/27/21
to Jeroen Koops, erlang-questions
On Mon, 27 Sept 2021 at 14:41, Jeroen Koops <koo...@gmail.com> wrote:
> One of the changes was the removal of the DST Root CA X3 root-certificate. This certificate is used as a root by Let's Encrypt certificates, and is almost expiring.
> One of the changes was the removal of the DST Root CA X3 root-certificate. This certificate is used as a root by Let's Encrypt certificates, and is almost expiring.
> Has anyone else seen this issue? Is there a solution?
See https://blog.voltone.net/post/29 and https://blog.voltone.net/post/30
Jeroen Koops
Sep 27, 2021, 10:35:11 AM9/27/21
to Roger Lipscombe, erlang-questions
Many thanks, the trick of removing the cross-signed certificate from the chain on the server does the trick.
Guilherme Andrade
Oct 1, 2021, 2:25:38 PM10/1/21
to Jeroen Koops, erlang-questions
What I do know, is that the Erlang SSL implementation does not seem to accept Let's Encrypt certificates anymore with { verify, verify_peer } since the update.
Shameless plug: `tls_certificate_check` might help you reduce the amount of boilerplate needed to secure TLS connections.
It's recently been adapted to deal with situations like the DST Root CA X3 expiration, based on the information I found on the same blog that Roger shared with you earlier.
Reply all
Reply to author
Forward
0 new messages