Expired Certificate Fix

From Computer Science Wiki
Jump to navigation Jump to search

Introduction

On May 30, 2020 the root certificate used to sign the certificates used by Computer Science servers expired. Of course, the company had provisions in place to keep the certificate chain valid, however some older versions of OpenSSL has a bug that prevents alternative root certificate from being used. As a result some clients will wrongly give a certificate expire error after May 30, 2020. Examples are 'git' on Mac OS and 'wget' on CentOS.

The fix

The fix involves removing the expired certificate from the root CA store so that the client chooses the correct certificate. This process varies from OS to OS.

Mac OS X

The root CA store for openssl based clients are stored in the /etc/ssl/cert.pem file.

  1. From 'Finder', Select Go->Applications
  2. Open 'Utilities' folder
  3. Open 'Terminal'
  4. Run command sudo su, it will ask you for your password
  5. Run command cd /etc/ssl
  6. Run command cp cert.pem to cert.bak this will make a backup of the file just in case
  7. Use a text editor (such as vi cert.pem or nano cert.pem) to edit the 'cert.pem' file
  8. Search for the "AddTrust External CA Root" block and delete the following two lines
    • "-----BEGIN CERTIFICATE-----"
    • "-----END CERTIFICATE-----"
  9. This will effectively comment out the AddTrust External CA Root certificate
  10. Save the file, and it should be fixed

CentOS

The root CA store is located at /etc/ssl/certs/ca-bundle.trust.crt, however this file is generate from another file

  1. Run these commands as root:
  2. cd /usr/share/pki/ca-trust-source
  3. Use a text editor (such as vi cert.pem or nano cert.pem) to edit the 'ca-bundle.trust.p11-kit' file
  4. Search for "AddTrust External Root"
  5. Delete or comment ("#") out the entire block for AddTrust External Root
    • Remove all these lines:
[p11-kit-object-v1]
label: "AddTrust External Root"
class: x-certificate-extension
object-id: 2.5.29.37
value: "0 %06%03U%1d%25%01%01%ff%04%160%14%06%08%2b%06%01%05%05%07%03%04%06%08%2b%06%01%05%05%07%03%01"
modifiable: false
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAt/caM+byAAQtOeBOW+0f
vGwPzbX6I7bO3psRM5ekKUx9k5+9SryT7QMa44/P5W1QWtaXKZRagLBJetsulf24
yr83OC0ePpFBrXBWx/BPP+gynnTKyJBU6cZfD3idmkA8Dqxhql4Uj56HoWpQ3Nea
Tq8Fs6ZxlJxxs1BgCscTnTgHhgKo6ahpJhiQq0ywTyOrOk+E2N/On+Fpb7vXQtdr
ROTHre5tQV9yWnEIN7N5ZaRZoJQ39wAvDcKSctrQOHLbFKhFxF0qfbe01sTurM0T
RLfJK91DACX6YblpalgjEbenM49WdVn1zSnXRrcKK2W200JvFbK4e/vv6V1T1TRa
JwIDAQAB
-----END PUBLIC KEY-----

[p11-kit-object-v1]
label: "AddTrust External Root"
trusted: true
nss-mozilla-ca-policy: true
modifiable: false
-----BEGIN CERTIFICATE-----
MIIENjCCAx6gAwIBAgIBATANBgkqhkiG9w0BAQUFADBvMQswCQYDVQQGEwJTRTEU
MBIGA1UEChMLQWRkVHJ1c3QgQUIxJjAkBgNVBAsTHUFkZFRydXN0IEV4dGVybmFs
IFRUUCBOZXR3b3JrMSIwIAYDVQQDExlBZGRUcnVzdCBFeHRlcm5hbCBDQSBSb290
MB4XDTAwMDUzMDEwNDgzOFoXDTIwMDUzMDEwNDgzOFowbzELMAkGA1UEBhMCU0Ux
FDASBgNVBAoTC0FkZFRydXN0IEFCMSYwJAYDVQQLEx1BZGRUcnVzdCBFeHRlcm5h
bCBUVFAgTmV0d29yazEiMCAGA1UEAxMZQWRkVHJ1c3QgRXh0ZXJuYWwgQ0EgUm9v
dDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALf3GjPm8gAELTngTlvt
H7xsD821+iO2zt6bETOXpClMfZOfvUq8k+0DGuOPz+VtUFrWlymUWoCwSXrbLpX9
uMq/NzgtHj6RQa1wVsfwTz/oMp50ysiQVOnGXw94nZpAPA6sYapeFI+eh6FqUNzX
mk6vBbOmcZSccbNQYArHE504B4YCqOmoaSYYkKtMsE8jqzpPhNjfzp/haW+710LX
a0Tkx63ubUFfclpxCDezeWWkWaCUN/cALw3CknLa0Dhy2xSoRcRdKn23tNbE7qzN
E0S3ySvdQwAl+mG5aWpYIxG3pzOPVnVZ9c0p10a3CitlttNCbxWyuHv77+ldU9U0
WicCAwEAAaOB3DCB2TAdBgNVHQ4EFgQUrb2YejS0Jvf6xCZU7wO94CTLVBowCwYD
VR0PBAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wgZkGA1UdIwSBkTCBjoAUrb2YejS0
Jvf6xCZU7wO94CTLVBqhc6RxMG8xCzAJBgNVBAYTAlNFMRQwEgYDVQQKEwtBZGRU
cnVzdCBBQjEmMCQGA1UECxMdQWRkVHJ1c3QgRXh0ZXJuYWwgVFRQIE5ldHdvcmsx
IjAgBgNVBAMTGUFkZFRydXN0IEV4dGVybmFsIENBIFJvb3SCAQEwDQYJKoZIhvcN
AQEFBQADggEBALCb4IUlwtYj4g+WBpKdQZic2YR5gdkeWxQHIzZlj7DYd7usQWxH
YINRsPkyPef89iYTx4AWpb9a/IfPeHmJIZriTAcKhjW88t5RxNKWt9x+Tu5w/Rw5
6wwCURQtjr0W4MHfRnXnJK3s9EK0hZNwEGe6nQY1ShjTK3rMUUKhemPR5ruhxSvC
Nr4TDea9Y355e6cJDUCrat2PisP29owaQgVR1EX1n6diIWgVIEM8med8vSTYqZEX
c4g/VhsxOBi0cQ+azcgOno4uG+GMmIPLHzHxREzGBHNJdmAPx/i9F4BrLunMTA5a
mnkPIAou1Z5jJh5VkpTYghdae9C8x49OhgQ=
-----END CERTIFICATE-----
  1. Save the file
  2. Run the command update-ca-trust
Retrieved from "http://wiki.cs.vt.edu/index.php?title=Expired_Certificate_Fix&oldid=4062"