| 2021-09-21 23:23:09 |
Dimitri John Ledkov |
bug |
|
|
added bug |
| 2021-09-21 23:26:12 |
Dimitri John Ledkov |
description |
[Impact]
* ca-certificates trusts the letsencrypt CA certificate "ISRG Root X1"
* ca-certificates also trusts the cross-gigned CA certificate "DST Root CA X3"
* "DST Root CA X3" is about to expire, however it has issued an update cross-signature to letsencrypt beyond the CA's expiry
* This causes issues with older implementations of openssl & gnutls that reject such chains when offered to clients by servers.
* We have provided fixes for openssl in xenial and gnutls in bionic/xenial, however trusty systems remain affected. Also any self built old copies of openssl/gnutls remain suspeptible to this expiry.
* One solution is to blacklist the "DST Root CA X3" from the ca-certificates package as described at https://blog.devgenius.io/rhel-centos-7-fix-for-lets-encrypt-change-8af2de587fe4 - connectivity to sites chained to "DST Root CA X3" will be unaffected, and servers that chain to both "ISRG Root X1" and "DST Root CA X3" should start to work unmodified.
[Test Plan]
* Install new ca-certificates package
* Test that connectivity to letsencrypt websites works under faketime 2021-10-01 for OpenSSL and gnutls clients i.e.
faketime 2021-10-01 gnutls-cli canonical.com
faketime '2021-10-01' wget -O /dev/null https://canonical.com
[Where problems could occur]
* Connectivity to "DST Root CA X3" websites only, even under faketime set to dates prior to 30th of September 2021 will not work, as "DST Root CA X3" certificate is no longer installed. users should locally install and enable that CA certificate, or allow dangerous unverified connectivity to websites using expired CA certs.
[Other Info]
* Related openssl and gnutls28 bugs are https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1928989 and https://bugs.launchpad.net/ubuntu/+source/gnutls28/+bug/1928648 |
[Impact]
* ca-certificates trusts the letsencrypt CA certificate "ISRG Root X1"
* ca-certificates also trusts the CA certificate "DST Root CA X3" which cross-signs letencrypt CA
* "DST Root CA X3" is about to expire, however it has issued an update cross-signature to letsencrypt beyond the CA's expiry
* This causes issues with older implementations of openssl & gnutls that reject such chains when offered to clients by servers.
* We have provided fixes for openssl in xenial and gnutls in bionic/xenial, however trusty systems remain affected. Also any self built old copies of openssl/gnutls remain suspeptible to this expiry.
* One solution is to blacklist the "DST Root CA X3" from the ca-certificates package as described at https://blog.devgenius.io/rhel-centos-7-fix-for-lets-encrypt-change-8af2de587fe4 - connectivity to sites chained to "DST Root CA X3" will be unaffected, and servers that chain to both "ISRG Root X1" and "DST Root CA X3" should start to work unmodified.
[Test Plan]
* Install new ca-certificates package
* Test that connectivity to letsencrypt websites works under faketime 2021-10-01 for OpenSSL and gnutls clients i.e.
faketime 2021-10-01 gnutls-cli canonical.com
faketime '2021-10-01' wget -O /dev/null https://canonical.com
[Where problems could occur]
* Connectivity to "DST Root CA X3" websites only, even under faketime set to dates prior to 30th of September 2021 will not work, as "DST Root CA X3" certificate is no longer installed. users should locally install and enable that CA certificate, or allow dangerous unverified connectivity to websites using expired CA certs.
[Other Info]
* Related openssl and gnutls28 bugs are https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1928989 and https://bugs.launchpad.net/ubuntu/+source/gnutls28/+bug/1928648 |
|
| 2021-09-21 23:26:27 |
Dimitri John Ledkov |
description |
[Impact]
* ca-certificates trusts the letsencrypt CA certificate "ISRG Root X1"
* ca-certificates also trusts the CA certificate "DST Root CA X3" which cross-signs letencrypt CA
* "DST Root CA X3" is about to expire, however it has issued an update cross-signature to letsencrypt beyond the CA's expiry
* This causes issues with older implementations of openssl & gnutls that reject such chains when offered to clients by servers.
* We have provided fixes for openssl in xenial and gnutls in bionic/xenial, however trusty systems remain affected. Also any self built old copies of openssl/gnutls remain suspeptible to this expiry.
* One solution is to blacklist the "DST Root CA X3" from the ca-certificates package as described at https://blog.devgenius.io/rhel-centos-7-fix-for-lets-encrypt-change-8af2de587fe4 - connectivity to sites chained to "DST Root CA X3" will be unaffected, and servers that chain to both "ISRG Root X1" and "DST Root CA X3" should start to work unmodified.
[Test Plan]
* Install new ca-certificates package
* Test that connectivity to letsencrypt websites works under faketime 2021-10-01 for OpenSSL and gnutls clients i.e.
faketime 2021-10-01 gnutls-cli canonical.com
faketime '2021-10-01' wget -O /dev/null https://canonical.com
[Where problems could occur]
* Connectivity to "DST Root CA X3" websites only, even under faketime set to dates prior to 30th of September 2021 will not work, as "DST Root CA X3" certificate is no longer installed. users should locally install and enable that CA certificate, or allow dangerous unverified connectivity to websites using expired CA certs.
[Other Info]
* Related openssl and gnutls28 bugs are https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1928989 and https://bugs.launchpad.net/ubuntu/+source/gnutls28/+bug/1928648 |
[Impact]
* ca-certificates trusts the letsencrypt CA certificate "ISRG Root X1"
* ca-certificates also trusts the CA certificate "DST Root CA X3" which cross-signs letencrypt CA
* "DST Root CA X3" is about to expire, however it has issued an updated cross-signature to letsencrypt beyond its own expiry
* This causes issues with older implementations of openssl & gnutls that reject such chains when offered to clients by servers.
* We have provided fixes for openssl in xenial and gnutls in bionic/xenial, however trusty systems remain affected. Also any self built old copies of openssl/gnutls remain suspeptible to this expiry.
* One solution is to blacklist the "DST Root CA X3" from the ca-certificates package as described at https://blog.devgenius.io/rhel-centos-7-fix-for-lets-encrypt-change-8af2de587fe4 - connectivity to sites chained to "DST Root CA X3" will be unaffected, and servers that chain to both "ISRG Root X1" and "DST Root CA X3" should start to work unmodified.
[Test Plan]
* Install new ca-certificates package
* Test that connectivity to letsencrypt websites works under faketime 2021-10-01 for OpenSSL and gnutls clients i.e.
faketime 2021-10-01 gnutls-cli canonical.com
faketime '2021-10-01' wget -O /dev/null https://canonical.com
[Where problems could occur]
* Connectivity to "DST Root CA X3" websites only, even under faketime set to dates prior to 30th of September 2021 will not work, as "DST Root CA X3" certificate is no longer installed. users should locally install and enable that CA certificate, or allow dangerous unverified connectivity to websites using expired CA certs.
[Other Info]
* Related openssl and gnutls28 bugs are https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1928989 and https://bugs.launchpad.net/ubuntu/+source/gnutls28/+bug/1928648 |
|
| 2021-09-21 23:32:58 |
Dimitri John Ledkov |
description |
[Impact]
* ca-certificates trusts the letsencrypt CA certificate "ISRG Root X1"
* ca-certificates also trusts the CA certificate "DST Root CA X3" which cross-signs letencrypt CA
* "DST Root CA X3" is about to expire, however it has issued an updated cross-signature to letsencrypt beyond its own expiry
* This causes issues with older implementations of openssl & gnutls that reject such chains when offered to clients by servers.
* We have provided fixes for openssl in xenial and gnutls in bionic/xenial, however trusty systems remain affected. Also any self built old copies of openssl/gnutls remain suspeptible to this expiry.
* One solution is to blacklist the "DST Root CA X3" from the ca-certificates package as described at https://blog.devgenius.io/rhel-centos-7-fix-for-lets-encrypt-change-8af2de587fe4 - connectivity to sites chained to "DST Root CA X3" will be unaffected, and servers that chain to both "ISRG Root X1" and "DST Root CA X3" should start to work unmodified.
[Test Plan]
* Install new ca-certificates package
* Test that connectivity to letsencrypt websites works under faketime 2021-10-01 for OpenSSL and gnutls clients i.e.
faketime 2021-10-01 gnutls-cli canonical.com
faketime '2021-10-01' wget -O /dev/null https://canonical.com
[Where problems could occur]
* Connectivity to "DST Root CA X3" websites only, even under faketime set to dates prior to 30th of September 2021 will not work, as "DST Root CA X3" certificate is no longer installed. users should locally install and enable that CA certificate, or allow dangerous unverified connectivity to websites using expired CA certs.
[Other Info]
* Related openssl and gnutls28 bugs are https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1928989 and https://bugs.launchpad.net/ubuntu/+source/gnutls28/+bug/1928648 |
[Impact]
* ca-certificates trusts the letsencrypt CA certificate "ISRG Root X1"
* ca-certificates also trusts the CA certificate "DST Root CA X3" which cross-signs letencrypt CA
* "DST Root CA X3" is about to expire, however it has issued an updated cross-signature to letsencrypt beyond its own expiry
* This causes issues with older implementations of openssl & gnutls that reject such chains when offered to clients by servers.
* We have provided fixes for openssl in xenial and gnutls in bionic/xenial, however trusty systems remain affected. Also any self built old copies of openssl/gnutls remain suspeptible to this expiry.
* One solution is to blacklist the "DST Root CA X3" from the ca-certificates package as described at https://blog.devgenius.io/rhel-centos-7-fix-for-lets-encrypt-change-8af2de587fe4 - connectivity to sites chained to "DST Root CA X3" will be unaffected, and servers that chain to both "ISRG Root X1" and "DST Root CA X3" should start to work unmodified.
[Test Plan]
* Install new ca-certificates package
* Test that connectivity to letsencrypt websites works under faketime 2021-10-01 for OpenSSL and gnutls clients i.e.
faketime 2021-10-01 gnutls-cli canonical.com
faketime 2021-10-01 openssl s_client -showcerts -connect canonical.com:443 < /dev/null
...
Verify return code: 0 (ok)
...
[Where problems could occur]
* Connectivity to "DST Root CA X3" websites only, even under faketime set to dates prior to 30th of September 2021 will not work, as "DST Root CA X3" certificate is no longer installed. users should locally install and enable that CA certificate, or allow dangerous unverified connectivity to websites using expired CA certs.
[Other Info]
* Related openssl and gnutls28 bugs are https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1928989 and https://bugs.launchpad.net/ubuntu/+source/gnutls28/+bug/1928648 |
|
| 2021-09-21 23:58:19 |
Dimitri John Ledkov |
description |
[Impact]
* ca-certificates trusts the letsencrypt CA certificate "ISRG Root X1"
* ca-certificates also trusts the CA certificate "DST Root CA X3" which cross-signs letencrypt CA
* "DST Root CA X3" is about to expire, however it has issued an updated cross-signature to letsencrypt beyond its own expiry
* This causes issues with older implementations of openssl & gnutls that reject such chains when offered to clients by servers.
* We have provided fixes for openssl in xenial and gnutls in bionic/xenial, however trusty systems remain affected. Also any self built old copies of openssl/gnutls remain suspeptible to this expiry.
* One solution is to blacklist the "DST Root CA X3" from the ca-certificates package as described at https://blog.devgenius.io/rhel-centos-7-fix-for-lets-encrypt-change-8af2de587fe4 - connectivity to sites chained to "DST Root CA X3" will be unaffected, and servers that chain to both "ISRG Root X1" and "DST Root CA X3" should start to work unmodified.
[Test Plan]
* Install new ca-certificates package
* Test that connectivity to letsencrypt websites works under faketime 2021-10-01 for OpenSSL and gnutls clients i.e.
faketime 2021-10-01 gnutls-cli canonical.com
faketime 2021-10-01 openssl s_client -showcerts -connect canonical.com:443 < /dev/null
...
Verify return code: 0 (ok)
...
[Where problems could occur]
* Connectivity to "DST Root CA X3" websites only, even under faketime set to dates prior to 30th of September 2021 will not work, as "DST Root CA X3" certificate is no longer installed. users should locally install and enable that CA certificate, or allow dangerous unverified connectivity to websites using expired CA certs.
[Other Info]
* Related openssl and gnutls28 bugs are https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1928989 and https://bugs.launchpad.net/ubuntu/+source/gnutls28/+bug/1928648 |
[Impact]
* ca-certificates trusts the letsencrypt CA certificate "ISRG Root X1"
* ca-certificates also trusts the CA certificate "DST Root CA X3" which cross-signs letencrypt CA
* "DST Root CA X3" is about to expire, however it has issued an updated cross-signature to letsencrypt beyond its own expiry
* This causes issues with older implementations of openssl & gnutls that reject such chains when offered to clients by servers.
* We have provided fixes for openssl in xenial and gnutls in bionic/xenial, however trusty systems remain affected. Also any self built old copies of openssl/gnutls remain suspeptible to this expiry.
* One solution is to blacklist the "DST Root CA X3" from the ca-certificates package as described at https://blog.devgenius.io/rhel-centos-7-fix-for-lets-encrypt-change-8af2de587fe4 - connectivity to sites chained to "DST Root CA X3" will be unaffected, and servers that chain to both "ISRG Root X1" and "DST Root CA X3" should start to work unmodified.
[Test Plan]
* Install old/current ca-certificates package, faketime, wget
# faketime 2021-10-01 wget https://pskov.surgut.co.uk
--2021-10-01 00:00:00-- https://pskov.surgut.co.uk/
Resolving pskov.surgut.co.uk (pskov.surgut.co.uk)... 2a01:4f8:c17:3dd8::1, 49.12.37.5
Connecting to pskov.surgut.co.uk (pskov.surgut.co.uk)|2a01:4f8:c17:3dd8::1|:443... connected.
ERROR: cannot verify pskov.surgut.co.uk's certificate, issued by '/C=US/O=Let\'s Encrypt/CN=R3':
Issued certificate has expired.
To connect to pskov.surgut.co.uk insecurely, use `--no-check-certificate'.
* Install new ca-certificates package
# faketime 2021-10-01 wget https://pskov.surgut.co.uk
--2021-10-01 00:00:00-- https://pskov.surgut.co.uk/
Resolving pskov.surgut.co.uk (pskov.surgut.co.uk)... 2a01:4f8:c17:3dd8::1, 49.12.37.5
Connecting to pskov.surgut.co.uk (pskov.surgut.co.uk)|2a01:4f8:c17:3dd8::1|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 612 [text/html]
Saving to: 'index.html.3'
100%[====================================================>] 612 --.-K/s in 0s
2021-10-01 00:00:00 (71.7 MB/s) - 'index.html.3' saved [612/612]
Download is successful.
[Where problems could occur]
* Connectivity to "DST Root CA X3" websites only, even under faketime set to dates prior to 30th of September 2021 will not work, as "DST Root CA X3" certificate is no longer installed. users should locally install and enable that CA certificate, or allow dangerous unverified connectivity to websites using expired CA certs.
[Other Info]
* Related openssl and gnutls28 bugs are https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1928989 and https://bugs.launchpad.net/ubuntu/+source/gnutls28/+bug/1928648 |
|
| 2021-09-21 23:58:51 |
Dimitri John Ledkov |
attachment added |
|
trusty.debdiff https://bugs.launchpad.net/ubuntu/+source/ca-certificates/+bug/1944481/+attachment/5526782/+files/trusty.debdiff |
|
| 2021-09-22 00:20:44 |
Dimitri John Ledkov |
description |
[Impact]
* ca-certificates trusts the letsencrypt CA certificate "ISRG Root X1"
* ca-certificates also trusts the CA certificate "DST Root CA X3" which cross-signs letencrypt CA
* "DST Root CA X3" is about to expire, however it has issued an updated cross-signature to letsencrypt beyond its own expiry
* This causes issues with older implementations of openssl & gnutls that reject such chains when offered to clients by servers.
* We have provided fixes for openssl in xenial and gnutls in bionic/xenial, however trusty systems remain affected. Also any self built old copies of openssl/gnutls remain suspeptible to this expiry.
* One solution is to blacklist the "DST Root CA X3" from the ca-certificates package as described at https://blog.devgenius.io/rhel-centos-7-fix-for-lets-encrypt-change-8af2de587fe4 - connectivity to sites chained to "DST Root CA X3" will be unaffected, and servers that chain to both "ISRG Root X1" and "DST Root CA X3" should start to work unmodified.
[Test Plan]
* Install old/current ca-certificates package, faketime, wget
# faketime 2021-10-01 wget https://pskov.surgut.co.uk
--2021-10-01 00:00:00-- https://pskov.surgut.co.uk/
Resolving pskov.surgut.co.uk (pskov.surgut.co.uk)... 2a01:4f8:c17:3dd8::1, 49.12.37.5
Connecting to pskov.surgut.co.uk (pskov.surgut.co.uk)|2a01:4f8:c17:3dd8::1|:443... connected.
ERROR: cannot verify pskov.surgut.co.uk's certificate, issued by '/C=US/O=Let\'s Encrypt/CN=R3':
Issued certificate has expired.
To connect to pskov.surgut.co.uk insecurely, use `--no-check-certificate'.
* Install new ca-certificates package
# faketime 2021-10-01 wget https://pskov.surgut.co.uk
--2021-10-01 00:00:00-- https://pskov.surgut.co.uk/
Resolving pskov.surgut.co.uk (pskov.surgut.co.uk)... 2a01:4f8:c17:3dd8::1, 49.12.37.5
Connecting to pskov.surgut.co.uk (pskov.surgut.co.uk)|2a01:4f8:c17:3dd8::1|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 612 [text/html]
Saving to: 'index.html.3'
100%[====================================================>] 612 --.-K/s in 0s
2021-10-01 00:00:00 (71.7 MB/s) - 'index.html.3' saved [612/612]
Download is successful.
[Where problems could occur]
* Connectivity to "DST Root CA X3" websites only, even under faketime set to dates prior to 30th of September 2021 will not work, as "DST Root CA X3" certificate is no longer installed. users should locally install and enable that CA certificate, or allow dangerous unverified connectivity to websites using expired CA certs.
[Other Info]
* Related openssl and gnutls28 bugs are https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1928989 and https://bugs.launchpad.net/ubuntu/+source/gnutls28/+bug/1928648 |
[Impact]
* ca-certificates trusts the letsencrypt CA certificate "ISRG Root X1"
* ca-certificates also trusts the CA certificate "DST Root CA X3" which cross-signs letencrypt CA
* "DST Root CA X3" is about to expire, however it has issued an updated cross-signature to letsencrypt beyond its own expiry
* This causes issues with older implementations of openssl & gnutls that reject such chains when offered to clients by servers.
* We have provided fixes for openssl in xenial and gnutls in bionic/xenial, however trusty systems remain affected. Also any self built old copies of openssl/gnutls remain suspeptible to this expiry.
* One solution is to blacklist the "DST Root CA X3" from the ca-certificates package as described at https://blog.devgenius.io/rhel-centos-7-fix-for-lets-encrypt-change-8af2de587fe4 - connectivity to sites chained to "DST Root CA X3" will be unaffected, and servers that chain to both "ISRG Root X1" and "DST Root CA X3" should start to work unmodified.
[Test Plan]
* Install old/current ca-certificates faketime wget curl libcurl3-gnutls
# faketime 2021-10-01 wget https://pskov.surgut.co.uk
--2021-10-01 00:00:00-- https://pskov.surgut.co.uk/
Resolving pskov.surgut.co.uk (pskov.surgut.co.uk)... 2a01:4f8:c17:3dd8::1, 49.12.37.5
Connecting to pskov.surgut.co.uk (pskov.surgut.co.uk)|2a01:4f8:c17:3dd8::1|:443... connected.
ERROR: cannot verify pskov.surgut.co.uk's certificate, issued by '/C=US/O=Let\'s Encrypt/CN=R3':
Issued certificate has expired.
To connect to pskov.surgut.co.uk insecurely, use `--no-check-certificate'.
# LD_PRELOAD=/usr/lib/x86_64-linux-gnu/libcurl-gnutls.so.4 faketime 2021-10-01 curl https://pskov.surgut.co.uk >/dev/null
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
curl: (60) SSL certificate problem: certificate has expired
* Install new ca-certificates package
# faketime 2021-10-01 wget https://pskov.surgut.co.uk
--2021-10-01 00:00:00-- https://pskov.surgut.co.uk/
Resolving pskov.surgut.co.uk (pskov.surgut.co.uk)... 2a01:4f8:c17:3dd8::1, 49.12.37.5
Connecting to pskov.surgut.co.uk (pskov.surgut.co.uk)|2a01:4f8:c17:3dd8::1|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 612 [text/html]
Saving to: 'index.html.3'
100%[====================================================>] 612 --.-K/s in 0s
2021-10-01 00:00:00 (71.7 MB/s) - 'index.html.3' saved [612/612]
LD_PRELOAD=/usr/lib/x86_64-linux-gnu/libcurl-gnutls.so.4 faketime 2021-10-01 curl https://pskov.surgut.co.uk >/dev/null
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 612 100 612 0 0 5794 0 --:--:-- --:--:-- --:--:-- 5828
Download is successful.
[Where problems could occur]
* Connectivity to "DST Root CA X3" websites only, even under faketime set to dates prior to 30th of September 2021 will not work, as "DST Root CA X3" certificate is no longer installed. users should locally install and enable that CA certificate, or allow dangerous unverified connectivity to websites using expired CA certs.
[Other Info]
* Related openssl and gnutls28 bugs are https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1928989 and https://bugs.launchpad.net/ubuntu/+source/gnutls28/+bug/1928648 |
|
| 2021-09-22 00:23:22 |
Dimitri John Ledkov |
description |
[Impact]
* ca-certificates trusts the letsencrypt CA certificate "ISRG Root X1"
* ca-certificates also trusts the CA certificate "DST Root CA X3" which cross-signs letencrypt CA
* "DST Root CA X3" is about to expire, however it has issued an updated cross-signature to letsencrypt beyond its own expiry
* This causes issues with older implementations of openssl & gnutls that reject such chains when offered to clients by servers.
* We have provided fixes for openssl in xenial and gnutls in bionic/xenial, however trusty systems remain affected. Also any self built old copies of openssl/gnutls remain suspeptible to this expiry.
* One solution is to blacklist the "DST Root CA X3" from the ca-certificates package as described at https://blog.devgenius.io/rhel-centos-7-fix-for-lets-encrypt-change-8af2de587fe4 - connectivity to sites chained to "DST Root CA X3" will be unaffected, and servers that chain to both "ISRG Root X1" and "DST Root CA X3" should start to work unmodified.
[Test Plan]
* Install old/current ca-certificates faketime wget curl libcurl3-gnutls
# faketime 2021-10-01 wget https://pskov.surgut.co.uk
--2021-10-01 00:00:00-- https://pskov.surgut.co.uk/
Resolving pskov.surgut.co.uk (pskov.surgut.co.uk)... 2a01:4f8:c17:3dd8::1, 49.12.37.5
Connecting to pskov.surgut.co.uk (pskov.surgut.co.uk)|2a01:4f8:c17:3dd8::1|:443... connected.
ERROR: cannot verify pskov.surgut.co.uk's certificate, issued by '/C=US/O=Let\'s Encrypt/CN=R3':
Issued certificate has expired.
To connect to pskov.surgut.co.uk insecurely, use `--no-check-certificate'.
# LD_PRELOAD=/usr/lib/x86_64-linux-gnu/libcurl-gnutls.so.4 faketime 2021-10-01 curl https://pskov.surgut.co.uk >/dev/null
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
curl: (60) SSL certificate problem: certificate has expired
* Install new ca-certificates package
# faketime 2021-10-01 wget https://pskov.surgut.co.uk
--2021-10-01 00:00:00-- https://pskov.surgut.co.uk/
Resolving pskov.surgut.co.uk (pskov.surgut.co.uk)... 2a01:4f8:c17:3dd8::1, 49.12.37.5
Connecting to pskov.surgut.co.uk (pskov.surgut.co.uk)|2a01:4f8:c17:3dd8::1|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 612 [text/html]
Saving to: 'index.html.3'
100%[====================================================>] 612 --.-K/s in 0s
2021-10-01 00:00:00 (71.7 MB/s) - 'index.html.3' saved [612/612]
LD_PRELOAD=/usr/lib/x86_64-linux-gnu/libcurl-gnutls.so.4 faketime 2021-10-01 curl https://pskov.surgut.co.uk >/dev/null
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 612 100 612 0 0 5794 0 --:--:-- --:--:-- --:--:-- 5828
Download is successful.
[Where problems could occur]
* Connectivity to "DST Root CA X3" websites only, even under faketime set to dates prior to 30th of September 2021 will not work, as "DST Root CA X3" certificate is no longer installed. users should locally install and enable that CA certificate, or allow dangerous unverified connectivity to websites using expired CA certs.
[Other Info]
* Related openssl and gnutls28 bugs are https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1928989 and https://bugs.launchpad.net/ubuntu/+source/gnutls28/+bug/1928648 |
[Impact]
* ca-certificates trusts the letsencrypt CA certificate "ISRG Root X1"
* ca-certificates also trusts the CA certificate "DST Root CA X3" which cross-signs letencrypt CA
* "DST Root CA X3" is about to expire, however it has issued an updated cross-signature to letsencrypt beyond its own expiry
* This causes issues with older implementations of openssl & gnutls that reject such chains when offered to clients by servers.
* We have provided fixes for openssl in xenial and gnutls in bionic/xenial, however trusty systems remain affected. Also any self built old copies of openssl/gnutls remain suspeptible to this expiry.
* One solution is to blacklist the "DST Root CA X3" from the ca-certificates package as described at https://blog.devgenius.io/rhel-centos-7-fix-for-lets-encrypt-change-8af2de587fe4 - connectivity to sites chained to "DST Root CA X3" will be unaffected, and servers that chain to both "ISRG Root X1" and "DST Root CA X3" should start to work unmodified.
* This is similar to how this was handled for AddTrust before
"* mozilla/blacklist.txt: blacklist expired AddTrust External Root CA."
[Test Plan]
* Install old/current ca-certificates faketime wget curl libcurl3-gnutls
# faketime 2021-10-01 wget https://pskov.surgut.co.uk
--2021-10-01 00:00:00-- https://pskov.surgut.co.uk/
Resolving pskov.surgut.co.uk (pskov.surgut.co.uk)... 2a01:4f8:c17:3dd8::1, 49.12.37.5
Connecting to pskov.surgut.co.uk (pskov.surgut.co.uk)|2a01:4f8:c17:3dd8::1|:443... connected.
ERROR: cannot verify pskov.surgut.co.uk's certificate, issued by '/C=US/O=Let\'s Encrypt/CN=R3':
Issued certificate has expired.
To connect to pskov.surgut.co.uk insecurely, use `--no-check-certificate'.
# LD_PRELOAD=/usr/lib/x86_64-linux-gnu/libcurl-gnutls.so.4 faketime 2021-10-01 curl https://pskov.surgut.co.uk >/dev/null
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
curl: (60) SSL certificate problem: certificate has expired
* Install new ca-certificates package
# faketime 2021-10-01 wget https://pskov.surgut.co.uk
--2021-10-01 00:00:00-- https://pskov.surgut.co.uk/
Resolving pskov.surgut.co.uk (pskov.surgut.co.uk)... 2a01:4f8:c17:3dd8::1, 49.12.37.5
Connecting to pskov.surgut.co.uk (pskov.surgut.co.uk)|2a01:4f8:c17:3dd8::1|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 612 [text/html]
Saving to: 'index.html.3'
100%[====================================================>] 612 --.-K/s in 0s
2021-10-01 00:00:00 (71.7 MB/s) - 'index.html.3' saved [612/612]
LD_PRELOAD=/usr/lib/x86_64-linux-gnu/libcurl-gnutls.so.4 faketime 2021-10-01 curl https://pskov.surgut.co.uk >/dev/null
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 612 100 612 0 0 5794 0 --:--:-- --:--:-- --:--:-- 5828
Download is successful.
[Where problems could occur]
* Connectivity to "DST Root CA X3" websites only, even under faketime set to dates prior to 30th of September 2021 will not work, as "DST Root CA X3" certificate is no longer installed. users should locally install and enable that CA certificate, or allow dangerous unverified connectivity to websites using expired CA certs.
[Other Info]
* Related openssl and gnutls28 bugs are https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1928989 and https://bugs.launchpad.net/ubuntu/+source/gnutls28/+bug/1928648 |
|
| 2021-09-22 00:27:12 |
Dimitri John Ledkov |
attachment added |
|
trusty-esm.debdiff https://bugs.launchpad.net/ubuntu/+source/ca-certificates/+bug/1944481/+attachment/5526783/+files/trusty-esm.debdiff |
|
| 2021-09-22 00:28:18 |
Dimitri John Ledkov |
nominated for series |
|
Ubuntu Trusty |
|
| 2021-09-22 00:28:18 |
Dimitri John Ledkov |
bug task added |
|
ca-certificates (Ubuntu Trusty) |
|
| 2021-09-23 09:53:45 |
Dimitri John Ledkov |
bug |
|
|
added subscriber The Canonical Sysadmins |
| 2021-09-23 10:56:06 |
Marc Deslauriers |
information type |
Private Security |
Public Security |
|
| 2021-09-23 10:56:24 |
Marc Deslauriers |
nominated for series |
|
Ubuntu Impish |
|
| 2021-09-23 10:56:24 |
Marc Deslauriers |
bug task added |
|
ca-certificates (Ubuntu Impish) |
|
| 2021-09-23 10:56:24 |
Marc Deslauriers |
nominated for series |
|
Ubuntu Bionic |
|
| 2021-09-23 10:56:24 |
Marc Deslauriers |
bug task added |
|
ca-certificates (Ubuntu Bionic) |
|
| 2021-09-23 10:56:24 |
Marc Deslauriers |
nominated for series |
|
Ubuntu Hirsute |
|
| 2021-09-23 10:56:24 |
Marc Deslauriers |
bug task added |
|
ca-certificates (Ubuntu Hirsute) |
|
| 2021-09-23 10:56:24 |
Marc Deslauriers |
nominated for series |
|
Ubuntu Xenial |
|
| 2021-09-23 10:56:24 |
Marc Deslauriers |
bug task added |
|
ca-certificates (Ubuntu Xenial) |
|
| 2021-09-23 10:56:24 |
Marc Deslauriers |
nominated for series |
|
Ubuntu Focal |
|
| 2021-09-23 10:56:24 |
Marc Deslauriers |
bug task added |
|
ca-certificates (Ubuntu Focal) |
|
| 2021-09-23 10:56:32 |
Marc Deslauriers |
ca-certificates (Ubuntu Bionic): assignee |
|
Marc Deslauriers (mdeslaur) |
|
| 2021-09-23 10:56:36 |
Marc Deslauriers |
ca-certificates (Ubuntu Focal): assignee |
|
Marc Deslauriers (mdeslaur) |
|
| 2021-09-23 10:56:39 |
Marc Deslauriers |
ca-certificates (Ubuntu Hirsute): assignee |
|
Marc Deslauriers (mdeslaur) |
|
| 2021-09-23 10:56:42 |
Marc Deslauriers |
ca-certificates (Ubuntu Impish): assignee |
|
Marc Deslauriers (mdeslaur) |
|
| 2021-09-23 11:41:22 |
Launchpad Janitor |
ca-certificates (Ubuntu Focal): status |
New |
Fix Released |
|
| 2021-09-23 11:41:24 |
Launchpad Janitor |
ca-certificates (Ubuntu Bionic): status |
New |
Fix Released |
|
| 2021-09-23 11:48:47 |
Launchpad Janitor |
ca-certificates (Ubuntu Hirsute): status |
New |
Fix Released |
|
| 2021-09-23 12:29:53 |
Ubuntu Foundations Team Bug Bot |
tags |
|
patch |
|
| 2021-09-23 13:30:56 |
Marc Deslauriers |
ca-certificates (Ubuntu Impish): status |
New |
Fix Committed |
|
| 2021-09-23 13:31:15 |
Marc Deslauriers |
ca-certificates (Ubuntu Trusty): status |
New |
Fix Released |
|
| 2021-09-23 13:31:19 |
Marc Deslauriers |
ca-certificates (Ubuntu Xenial): status |
New |
Fix Released |
|
| 2021-09-23 15:47:29 |
Romain Couturat |
information type |
Public Security |
Private Security |
|
| 2021-09-23 15:50:46 |
Romain Couturat |
removed subscriber The Canonical Sysadmins |
|
|
|
| 2021-09-23 15:54:16 |
Romain Couturat |
information type |
Private Security |
Public |
|
| 2021-09-23 15:54:47 |
Romain Couturat |
information type |
Public |
Public Security |
|
| 2021-09-27 08:15:02 |
Romain Couturat |
bug |
|
|
added subscriber Romain Couturat |
| 2021-09-28 10:41:47 |
Fabiano Nunes |
bug |
|
|
added subscriber Fabiano Nunes |
| 2021-09-30 23:51:24 |
Launchpad Janitor |
ca-certificates (Ubuntu Impish): status |
Fix Committed |
Fix Released |
|
| 2021-10-09 13:51:45 |
Jeremy Bícha |
bug watch added |
|
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=995432 |
|
| 2021-10-09 13:51:45 |
Jeremy Bícha |
bug task added |
|
ca-certificates (Fluxbuntu) |
|
| 2021-10-09 14:25:24 |
Jeremy Bícha |
bug task deleted |
ca-certificates (Fluxbuntu) |
|
|
| 2021-10-09 14:25:45 |
Jeremy Bícha |
bug task added |
|
ca-certificates (Debian) |
|
| 2021-10-09 16:02:31 |
Bug Watch Updater |
ca-certificates (Debian): status |
Unknown |
Fix Released |
|
