On 15/02/2023 12:02 pm, Anthony PERARD wrote: > While the Let's Encrypt root certificate ISRG_Root_X1.crt is already > present, openssl seems to still check for the root certificate > DST_Root_CA_X3.crt which has expired. This prevent https connections. > > Removing DST_Root_CA_X3 fix the issue. > > centos: found the filter by looking for "DST Root" in `trust list`. > > Signed-off-by: Anthony PERARD <anthony.per...@citrix.com> > --- > automation/build/centos/7.2.dockerfile | 5 +++++ > automation/build/centos/7.dockerfile | 5 +++++ > automation/build/debian/jessie-i386.dockerfile | 5 +++++ > automation/build/debian/jessie.dockerfile | 5 +++++ > automation/build/ubuntu/trusty.dockerfile | 5 +++++ > 5 files changed, 25 insertions(+) > > diff --git a/automation/build/centos/7.2.dockerfile > b/automation/build/centos/7.2.dockerfile > index 4baa097e31..27244fd002 100644 > --- a/automation/build/centos/7.2.dockerfile > +++ b/automation/build/centos/7.2.dockerfile > @@ -50,3 +50,8 @@ RUN rpm --rebuilddb && \ > bzip2 \ > nasm \ > && yum clean all > + > +# Remove expired certificate that Let's Encrypt certificates used to relie > on.
rely. And really (to all of these modifications)? This seems outragously hacky to be deploying into production... Honestly, I think I'd prefer to drop all of these legacy versions... ~Andrew
