Abort, Retry, Fail

Share this post

LetsEncrypt Root Certificate

www.abortretry.fail

LetsEncrypt Root Certificate

and old Ubuntu installations

Bradford Morgan White
Sep 30, 2021
Share this post

LetsEncrypt Root Certificate

www.abortretry.fail

If you're currently using any Ubuntu 16.04 machines, you shouldn't be, but that aside you may not be able to curl a good number of servers around the world due to SSL/TLS failures. This is due to Let's Encrypt's root certificate having expired and a new certificate having been enabled in its place. The solution here is somewhat simple.

Specifically, make sure that you have the latest ca-certificates package installed.

Next, you need to edit /etc/ca-certificates.conf and disable this line:

mozilla/DST_Root_CA_X3.crt

by making it this line

!mozilla/DST_Root_CA_X3.crt

Then you run update-ca-certificates

This should resolve the problem for you.

If you are on another system that is having this problem, fear not. You can try the following:

wget http://security.ubuntu.com/ubuntu/pool/main/c/ca-certificates/ca-certificates_20210119~16.04.1_all.deb
ar x ca-certificates_20210119~16.04.1_all.deb
tar cf - /usr/share/ca-certificates/mozilla/ | xz -z > $HOME/certs.backup.txz
cd certs/ca-certificates-20210119~16.04.1/mozilla
cp * /usr/share/ca-certificates/mozilla/
sed -i 's#mozilla/DST_Root_CA_X3\.crt#!mozilla/DST_Root_CA_X3.crt#' /etc/ca-certificates.conf
update-ca-certificates

The Ubuntu script update-ca-certificates just places certs into /etc/ssl/certs and then concatenates those into ca-certificates.crt. If you are on a non-Ubuntu system you can do this yourself.

rm -f /usr/share/ca-certificates/mozilla/{ACEDICOM_Root.crt, AC_Raíz_Certicámara_S.A..crt, AddTrust_External_Root.crt, AddTrust_Low-Value_Services_Root.crt, AddTrust_Public_Services_Root.crt, AddTrust_Qualified_Certificates_Root.crt, ApplicationCA_-_Japanese_Government.crt, Buypass_Class_2_CA_1.crt, CA_Disig.crt, CA_Disig_Root_R1.crt, CA_WoSign_ECC_Root.crt, CNNIC_ROOT.crt, Camerfirma_Chambers_of_Commerce_Root.crt, Camerfirma_Global_Chambersign_Root.crt, Certification_Authority_of_WoSign_G2.crt, Certinomis_-_Autorité_Racine.crt, Certum_Root_CA.crt, China_Internet_Network_Information_Center_EV_Certificates_Root.crt, ComSign_CA.crt, Comodo_Secure_Services_root.crt, Comodo_Trusted_Services_root.crt, DST_ACES_CA_X6.crt, DST_Root_CA_X3.crt, EBG_Elektronik_Sertifika_Hizmet_Sağlayıcısı.crt, Equifax_Secure_CA.crt, Equifax_Secure_Global_eBusiness_CA.crt, Equifax_Secure_eBusiness_CA_1.crt, GeoTrust_Global_CA_2.crt, IGC_A.crt, Juur-SK.crt, Microsec_e-Szigno_Root_CA.crt, NetLock_Business_=Class_B=_Root.crt, NetLock_Express_=Class_C=_Root.crt, NetLock_Notary_=Class_A=_Root.crt, NetLock_Qualified_=Class_QA=_Root.crt, PSCProcert.crt, RSA_Security_2048_v3.crt, Root_CA_Generalitat_Valenciana.crt, S-TRUST_Authentication_and_Encryption_Root_CA_2005_PN.crt, S-TRUST_Universal_Root_CA.crt, Security_Communication_EV_RootCA1.crt, Sonera_Class_1_Root_CA.crt, Staat_der_Nederlanden_Root_CA.crt, StartCom_Certification_Authority.crt, StartCom_Certification_Authority_2.crt, StartCom_Certification_Authority_G2.crt, SwissSign_Platinum_CA_-_G2.crt, Swisscom_Root_CA_1.crt, Swisscom_Root_CA_2.crt, Swisscom_Root_EV_CA_2.crt, TC_TrustCenter_Class_3_CA_II.crt, TURKTRUST_Certificate_Services_Provider_Root_2007.crt, TÜBİTAK_UEKAE_Kök_Sertifika_Hizmet_Sağlayıcısı_-_Sürüm_3.crt, TÜRKTRUST_Elektronik_Sertifika_Hizmet_Sağlayıcısı_H5.crt, TÜRKTRUST_Elektronik_Sertifika_Hizmet_Sağlayıcısı_H6.crt, UTN_USERFirst_Email_Root_CA.crt, UTN_USERFirst_Hardware_Root_CA.crt, Verisign_Class_1_Public_Primary_Certification_Authority.crt, Verisign_Class_1_Public_Primary_Certification_Authority_-_G2.crt, Verisign_Class_1_Public_Primary_Certification_Authority_-_G3.crt, Verisign_Class_2_Public_Primary_Certification_Authority_-_G2.crt, Verisign_Class_2_Public_Primary_Certification_Authority_-_G3.crt, Verisign_Class_3_Public_Primary_Certification_Authority.crt, Verisign_Class_3_Public_Primary_Certification_Authority_-_G2.crt, Verisign_Class_3_Public_Primary_Certification_Authority_2.crt, Visa_eCommerce_Root.crt, WellsSecure_Public_Root_Certificate_Authority.crt, WoSign.crt, WoSign_China.crt, Certplus_Root_CA_G1.crt, Certplus_Root_CA_G2.crt, OpenTrust_Root_CA_G1.crt, OpenTrust_Root_CA_G2.crt, OpenTrust_Root_CA_G3.crt}

cat /usr/share/ca-certificates/mozilla/* > /etc/ssl/certs/ca-certificates.crt

That is using the default Ubuntu configuration with the one change listed prior.

Lets Encrypt Root Certificate By Bradford Morgan White
481KB ∙ PDF File
Download
Download

Share this post

LetsEncrypt Root Certificate

www.abortretry.fail
Comments
TopNewCommunity

No posts

Ready for more?

© 2023 Abort Retry Fail LLC
Privacy ∙ Terms ∙ Collection notice
Start WritingGet the app
Substack is the home for great writing