Page MenuHomePhorge
Create Task
Maniphest T15052

Deal with DST_Root_CA_X3 expiry (Let's Encrypt)
Closed, InvalidPublic
Actions

Description

As documented here:
https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/
https://www.openssl.org/blog/blog/2021/09/13/LetsEncryptRootCertExpire/

Since DST_Root_CA_X3 expired on September 30th, any kind of HTTPS hook against a Let's Encrypt HTTPS host is failing with "HTTP 60" in the HEAD log and an empty BODY log.

I managed to figure out this is to be fixed in rARC, specifically in resources/ssl/default.pem; but I'm unsure as to how that file was being maintained / generated. Hopefully somebody else knows and can chime in.

In the meantime I symlinked my (FreeBSD) system's CA bundle with:
ln -s /usr/local/share/certs/ca-root-nss.crt ${ARCANIST}/resources/ssl/custom.pem
which fixes the issue for me, but someone else is likely going to run against this issue.

Related Objects

Event Timeline

evilham created this task.Oct 6 2021, 15:59
Herald added subscribers: chris, speck, tobiaswiese, eax. · View Herald TranscriptOct 6 2021, 15:59
Ekubischta subscribed.Oct 6 2021, 16:06

This is a duplicate of T15051 and potentially solved with D25023

evilham closed this task as Resolved.Oct 6 2021, 16:10
evilham claimed this task.

Oh my, sorry for the noise; my search-foo didn't find that.

evilham changed the task status from Resolved to Invalid.Oct 6 2021, 16:10
avivey edited projects, added Arcanist; removed Arcanist (archived).Apr 6 2023, 10:31
Content licensed under Creative Commons Attribution-ShareAlike 4.0 (CC-BY-SA) unless otherwise noted; code licensed under Apache 2.0 or other open source licenses. · CC BY-SA 4.0 · Apache 2.0