Page MenuHomePhorge

Deal with DST_Root_CA_X3 expiry (Let's Encrypt)
Closed, InvalidPublic

Description

As documented here:
https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/
https://www.openssl.org/blog/blog/2021/09/13/LetsEncryptRootCertExpire/

Since DST_Root_CA_X3 expired on September 30th, any kind of HTTPS hook against a Let's Encrypt HTTPS host is failing with "HTTP 60" in the HEAD log and an empty BODY log.

I managed to figure out this is to be fixed in rARC, specifically in resources/ssl/default.pem; but I'm unsure as to how that file was being maintained / generated. Hopefully somebody else knows and can chime in.

In the meantime I symlinked my (FreeBSD) system's CA bundle with:
ln -s /usr/local/share/certs/ca-root-nss.crt ${ARCANIST}/resources/ssl/custom.pem
which fixes the issue for me, but someone else is likely going to run against this issue.

Event Timeline

This is a duplicate of T15051 and potentially solved with D25023

evilham claimed this task.

Oh my, sorry for the noise; my search-foo didn't find that.

evilham changed the task status from Resolved to Invalid.Wed, Oct 6, 16:10