Yesterday we share the news here on the blog on the termination of the IdenTrust certificate (DST Root CA X3) used to sign the Let's Encrypt CA certificate has caused problems with the Let's Encrypt certificate validation in projects using older versions of OpenSSL and GnuTLS.
The issues also affected the LibreSSL library, whose developers did not take into account past experience related to crashes that occurred after the AddTrust root certificate of the Sectigo (Comodo) certificate authority expired.
And is that in OpenSSL versions up to and including 1.0.2 and in GnuTLS before 3.6.14, an error occurred that it did not allow the correct processing of cross-signed certificates if one of the root certificates used for signing expired, even if other valid ones were kept.
The essence of the error is that the previous versions of OpenSSL and GnuTLS parsed the certificate as a linear chain, whereas according to RFC 4158, a certificate can represent a directed distributed pie chart with various trust anchors that must be taken into account.
Meanwhile the OpenBSD project urgently released patches for the 6.8 and 6.9 branches today, which fix issues in LibreSSL with cross-signed certificate verification, one of the root certificates in the trust chain has expired. As a solution to the problem, it is recommended in / etc / installurl, switch from HTTPS to HTTP (this does not threaten security, as updates are additionally verified by digital signature) or select an alternative mirror (ftp.usa.openbsd.org , ftp.hostserver.de, cdn.openbsd .org).
As well expired DST Root CA X3 certificate can be removed from the /etc/ssl/cert.pem file, and the syspatch utility used to install binary system updates has stopped working on OpenBSD.
Similar DragonFly BSD problems occur when working with DPorts. When starting the pkg package manager, a certificate validation error is generated. The fix has been added to the master branches, DragonFly_RELEASE_6_0 and DragonFly_RELEASE_5_8 today. As a workaround, you can remove the DST Root CA X3 certificate.
Some of the failures that occurred after the IdenTrust certificate was canceled were the following:
- The Let's Encrypt certificate verification process has been interrupted in applications based on the Electron platform. This issue was fixed in updates 12.2.1, 13.5.1, 14.1.0, 15.1.0.
- Some distributions have trouble accessing package repositories when using the APT package manager included with older versions of the GnuTLS library.
- Debian 9 was affected by the unpatched GnuTLS package, causing problems accessing deb.debian.org for users who did not install updates in time (fix gnutls28-3.5.8-5 + deb9u6 was proposed on 17 of September).
- The acme client broke on OPNsense, the issue was reported ahead of time, but the developers failed to release the patch in time.
- The issue affected the OpenSSL 1.0.2k package on RHEL / CentOS 7, but a week ago for RHEL 7 and CentOS 7, an update to the ca-certificate-2021.2.50-72.el7_9.noarch package was generated, from which The IdenTrust certificate was deleted, that is, the manifestation of the problem was blocked beforehand.
- Since the updates were released early, the problem with Let's Encrypt certificate verification affected only users of the old RHEL / CentOS and Ubuntu branches, who do not install updates regularly.
- The certificate verification process in grpc is broken.
- Failed to create Cloudflare page platform.
- Amazon Web Services (AWS) issues.
- DigitalOcean users are having trouble connecting to the database.
- Netlify cloud platform failure.
- Problems accessing Xero services.
- An attempt to establish a TLS connection with the MailGun Web API failed.
- Bugs in macOS and iOS versions (11, 13, 14), which theoretically should not have been affected by the problem.
- Catchpoint services failure.
- Failed to check certificates when accessing PostMan API.
- The Guardian Firewall crashed.
- Disruption on monday.com support page.
- Crash on the Cerb platform.
- Unable to verify uptime in Google Cloud Monitoring.
- Issue with certificate validation on Cisco Umbrella Secure Web Gateway.
- Problems connecting to Bluecoat and Palo Alto proxies.
- OVHcloud is having trouble connecting to the OpenStack API.
- Problems generating reports in Shopify.
- There are problems accessing the Heroku API.
- Crash in Ledger Live Manager.
- Certificate validation error in Facebook application development tools.
- Problems in Sophos SG UTM.
- Problems with certificate verification in cPanel.
As an alternative solution, it is proposed to remove the certificate «DST Root CA X3» from the system store (/etc/ca-certificates.conf and / etc / ssl / certs) and then run the command "update-ca -ificates -f -v").
On CentOS and RHEL, you can add the "DST Root CA X3" certificate to the blacklist.