Ian Kelling <i...@fsf.org> writes:
> Bob Proulx <invalid.nore...@gnu.org> writes: > >> On September 30, 2021, as planned the DST Root CA X3 cross-sign has expired >> for the Let's Encrypt trust chain. That was a normal and planned event. >> However coupled with a verification error in the code of libraries >> authenticating certificates it caused some clients that have not been updated >> to fixed versions to have problems validating certificates. >> >> If you are experiencing invalid certificate chain problems with Let's Encrypt >> certificates (not a Savannah problem) then please upgrade your client to the >> latest security patches for your system. Please reference these resources as >> to upstream information and discussion about the issue. >> >> * https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/ >> * https://community.letsencrypt.org/t/production-chain-changes/150739/4 >> * https://letsencrypt.org/docs/certificate-compatibility/ >> * https://letsencrypt.org/certificates/ >> * https://www.openssl.org/blog/blog/2021/09/13/LetsEncryptRootCertExpire/ >> >> >> _______________________________________________ >> Message sent via Savannah >> https://savannah.nongnu.org/ > > With a little googling, seems like this is the way to remove the expired > root cert on trisquel 8, suggested from > https://www.openssl.org/blog/blog/2021/09/13/LetsEncryptRootCertExpire/ > > sudo sed -i"" 's/mozilla\/DST_Root_CA_X3.crt/!mozilla\/DST_Root_CA_X3.crt/' > /etc/ca-certificates.conf > sudo dpkg-reconfigure -fnoninteractive ca-certificates > sudo update-ca-certificates Just a stylistic changes below. The site I copied from (https://jay.gooby.org/2021/09/30/remove-the-dst-root-ca-x3-crt-from-ubuntu-14-04-lts) had some ugly syntax going on. sudo sed -i 's,mozilla/DST_Root_CA_X3.crt,!mozilla/DST_Root_CA_X3.crt,' /etc/ca-certificates.conf sudo dpkg-reconfigure -fnoninteractive ca-certificates sudo update-ca-certificates
