Ubuntu 12.04 client - LetsEncrypt DST_Root_CA_X3 expiry - OpenSSL fix
LetsEncrypt is my go-to SSL certificate provider, and all my projects and most of my customers' websites run on LetsEncrypt. The recent expiry of the DST Root X3 certificate caused some disruption which required my attention. One particular instance was a Ubuntu 12.04 server.
Server Details
- Operating System: Ubuntu 12.04
- OpenSSL: 1.0.1
Observations
Ubuntu 12.04 is old and it predates the ISRG_ROOT_X1
certificate and I had a feeling it wouldn't already be there and I was correct.
find /usr/share/ca-certificates -name "*ISRG*"
Instructions
Step 1: Ubuntu 12.04 passed its support window long ago and updating using apt
is not an option. The client should have updated the system long ago. To update ca-certificates
I used a deb file from the launchpad library (which I got from a friend) and installed it using dpkg
.
sudo wget https://launchpadlibrarian.net/482351465/ca-certificates_20190110~12.04.1_all.deb
sudo dpkg -i ca-certificates_20190110~12.04.1_all.deb
Step 2: Open the certificate configuration file using your favourite editor. Mine is VIM.
sudo vim /etc/ca-certificates.conf
Step 3: Search for the entry for the expired certificate DST_Root_CA_X3
. You should be on a line similar to mozilla/DST_Root_CA_X3.crt
. Comment this by adding a !
. Save the file and exit.
!mozilla/DST_Root_CA_X3.crt
Step 4: Now run the update-ca-certificates
command. This will read the configuration file and generate one ca-certificates.cert
file.
sudo update-ca-certificates
Confirm
As always we should confirm that the update worked. You can do a curl request to a domain that caused the error or just about any LetsEncrypt SSL site.
curl https://www.jdeen.com
If you see the source code of the page, you are good to go!
Important
Given you are reading this article, the chances are you are administering an Ubuntu 12.04 server. Ubuntu 12.04 has long passed its support window. Managing such a server is only going to get worst over time.
About the Author
Ziyan Junaideen -
Ziyan is an expert Ruby on Rails web developer with 8 years of experience specializing in SaaS applications. He spends his free time he writes blogs, drawing on his iPad, shoots photos.