On Wed, 15 Feb 2023, Andrew Cooper wrote: > On 15/02/2023 12:02 pm, Anthony PERARD wrote: > > While the Let's Encrypt root certificate ISRG_Root_X1.crt is already > > present, openssl seems to still check for the root certificate > > DST_Root_CA_X3.crt which has expired. This prevent https connections. > > > > Removing DST_Root_CA_X3 fix the issue. > > > > centos: found the filter by looking for "DST Root" in `trust list`. > > > > Signed-off-by: Anthony PERARD <anthony.per...@citrix.com> > > --- > > automation/build/centos/7.2.dockerfile | 5 +++++ > > automation/build/centos/7.dockerfile | 5 +++++ > > automation/build/debian/jessie-i386.dockerfile | 5 +++++ > > automation/build/debian/jessie.dockerfile | 5 +++++ > > automation/build/ubuntu/trusty.dockerfile | 5 +++++ > > 5 files changed, 25 insertions(+) > > > > diff --git a/automation/build/centos/7.2.dockerfile > > b/automation/build/centos/7.2.dockerfile > > index 4baa097e31..27244fd002 100644 > > --- a/automation/build/centos/7.2.dockerfile > > +++ b/automation/build/centos/7.2.dockerfile > > @@ -50,3 +50,8 @@ RUN rpm --rebuilddb && \ > > bzip2 \ > > nasm \ > > && yum clean all > > + > > +# Remove expired certificate that Let's Encrypt certificates used to relie > > on. > > rely. > > And really (to all of these modifications)? This seems outragously > hacky to be deploying into production... > > Honestly, I think I'd prefer to drop all of these legacy versions...
Good timing! It just so happens that we need to shave some of the old container tests as we have too many build tests on x86 :-) I would remove Jessie as it reached EOL years ago. Do we really need both Centos 7 and 7.2? If not, we could remove 7. That leaves us with Trusty and Centos 7.2 among these. I would be tempted to keep Trusty and add the sed hack of this patch to make it work. For Centos 7.2, the hack looks even worse. Would it solve the problem to upgrade to the latest Centos 7.x subrelease? Is there really no other way to solve the problem?
