Change Details

=== tldr If your phorge install uses letsencrypt certs, and at any of your clients using arcanist are on centos, you will have this issue. === Issue We noticed the issue as result of a https://blog.devgenius.io/rhel-centos-7-fix-for-lets-encrypt-change-8af2de587fe4 > > For TLS certificates issued by Let’s Encrypt, the root certificate (DST Root CA X3) in the default chain expires on September 30, 2021. Due to their unique approach, the expired certificate will continue to be part of the certificate chain till 2024. This affects OpenSSL 1.0.2k on RHEL/CentOS 7 servers, and will result in applications/tools failing to establish TLS/HTTPS connections with a certificate has expired message. > In essence, using Arcanist on Centos 7 or 8 no longer works and it seems to be because arcanist is grabbing its own `default.pem` file which is located here Note that on Ubuntu, updating the `ca-certificates` package resolves the issue. However, on Centos we did the suggested update, but arcanist is still for some reason using this old `pem` file. We don't why that is yet, but, regardless, this file should probably be update as it is 5 years out of date. https://we.phorge.it/source/arcanist/browse/master/resources/ssl/ The last updated date is `Certificate data from Mozilla as of: Wed Jan 20 04:12:04 2016` We should update this fallback file to the latest `.pem` from https://curl.se/docs/caextract.html ===Reproduce Run this command - And it will fail ``` curl -v --cacert /usr/local/bin/arcanist/resources/ssl/default.pem https://letsencrypt.org/ ```

=== tldr If your phorge install uses letsencrypt certs, and at any of your clients using arcanist are on centos, you will have this issue. === Issue We noticed the issue as result of a https://blog.devgenius.io/rhel-centos-7-fix-for-lets-encrypt-change-8af2de587fe4 > > For TLS certificates issued by Let’s Encrypt, the root certificate (DST Root CA X3) in the default chain expires on September 30, 2021. Due to their unique approach, the expired certificate will continue to be part of the certificate chain till 2024. This affects OpenSSL 1.0.2k on RHEL/CentOS 7 servers, and will result in applications/tools failing to establish TLS/HTTPS connections with a certificate has expired message. > In essence, using Arcanist on Centos 7 or 8 no longer works and it seems to be because arcanist is grabbing its own `default.pem` file which is located here Note that on Ubuntu, updating the `ca-certificates` package resolves the issue. However, on Centos we did the suggested update, but arcanist is still for some reason using this old `pem` file. We don't why that is yet, but, regardless, this file should probably be update as it is 5 years out of date. https://we.phorge.it/source/arcanist/browse/master/resources/ssl/ The last updated date is `Certificate data from Mozilla as of: Wed Jan 20 04:12:04 2016` We should update this fallback file to the latest `.pem` from https://curl.se/docs/caextract.html ===Reproduce Run this command - And it will fail ``` curl -v --cacert /path/to/arcanist/resources/ssl/default.pem https://letsencrypt.org/ ```

=== tldr If your phorge install uses letsencrypt certs, and at any of your clients using arcanist are on centos, you will have this issue. === Issue We noticed the issue as result of a https://blog.devgenius.io/rhel-centos-7-fix-for-lets-encrypt-change-8af2de587fe4 > > For TLS certificates issued by Let’s Encrypt, the root certificate (DST Root CA X3) in the default chain expires on September 30, 2021. Due to their unique approach, the expired certificate will continue to be part of the certificate chain till 2024. This affects OpenSSL 1.0.2k on RHEL/CentOS 7 servers, and will result in applications/tools failing to establish TLS/HTTPS connections with a certificate has expired message. > In essence, using Arcanist on Centos 7 or 8 no longer works and it seems to be because arcanist is grabbing its own `default.pem` file which is located here Note that on Ubuntu, updating the `ca-certificates` package resolves the issue. However, on Centos we did the suggested update, but arcanist is still for some reason using this old `pem` file. We don't why that is yet, but, regardless, this file should probably be update as it is 5 years out of date. https://we.phorge.it/source/arcanist/browse/master/resources/ssl/ The last updated date is `Certificate data from Mozilla as of: Wed Jan 20 04:12:04 2016` We should update this fallback file to the latest `.pem` from https://curl.se/docs/caextract.html ===Reproduce Run this command - And it will fail ``` curl -v --cacert /usr/local/binpath/to/arcanist/resources/ssl/default.pem https://letsencrypt.org/ ```