Page MenuHomePhorge

default.pem in Arcanist is out of date
Open, Needs TriagePublic

Description

tldr

If your phorge install uses letsencrypt certs, and at any of your clients using arcanist are on centos, you will have this issue.

D25023 Implements a fix
https://github.com/willson556/phorge-devcontainer/pull/6 implements a fix in the phorge-devcontainer for those using this setup.

Issue

We noticed the issue as result of a

https://blog.devgenius.io/rhel-centos-7-fix-for-lets-encrypt-change-8af2de587fe4

For TLS certificates issued by Let’s Encrypt, the root certificate (DST Root CA X3) in the default chain expires on September 30, 2021. Due to their unique approach, the expired certificate will continue to be part of the certificate chain till 2024. This affects OpenSSL 1.0.2k on RHEL/CentOS 7 servers, and will result in applications/tools failing to establish TLS/HTTPS connections with a certificate has expired message.

In essence, using Arcanist on Centos 7 or 8 no longer works and it seems to be because arcanist is grabbing its own default.pem file which is located here

Note that on Ubuntu, updating the ca-certificates package resolves the issue. However, on Centos we did the suggested update, but arcanist is still for some reason using this old pem file. We don't why that is yet, but, regardless, this file should probably be update as it is 5 years out of date.

https://we.phorge.it/source/arcanist/browse/master/resources/ssl/

The last updated date is Certificate data from Mozilla as of: Wed Jan 20 04:12:04 2016

We should update this fallback file to the latest .pem from https://curl.se/docs/caextract.html

Reproduce

Run this command - And it will fail

curl -v --cacert /path/to/arcanist/resources/ssl/default.pem https://letsencrypt.org/