Expired Certificate Fix
Introduction
On May 30, 2020 the root certificate used to sign the certificates used by Computer Science servers expired. Of course, the company had provisions in place to keep the certificate chain valid, however some older versions of OpenSSL has a bug that prevents alternative root certificate from being used. As a result some clients will wrongly give a certificate expire error after May 30, 2020. Examples are 'git' on Mac OS and 'wget' on CentOS.
The fix
The fix involves removing the expired certificate from the root CA store so that the client chooses the correct certificate. This process varies from OS to OS.
Mac OS X
The root CA store for openssl based clients are stored in the /etc/ssl/cert.pem file.
- From 'Finder', Select Go->Applications
- Open 'Utilities' folder
- Open 'Terminal'
- Run command
sudo su
, it will ask you for your password - Run command
cd /etc/ssl
- Run command
cp cert.pem to cert.bak
this will make a backup of the file just in case - Use a text editor (such as
vi cert.pem
ornano cert.pem
) to edit the 'cert.pem' file - Search for the "AddTrust External CA Root" block and delete the following two lines
- "-----BEGIN CERTIFICATE-----"
- "-----END CERTIFICATE-----"
- This will effectively comment out the AddTrust External CA Root certificate
- Save the file, and it should be fixed
CentOS
The root CA store is located at /etc/ssl/certs/ca-bundle.trust.crt, however this file is generate from another file
- Run these commands as root:
cd /usr/share/pki/ca-trust-source
- Use a text editor (such as
vi cert.pem
ornano cert.pem
) to edit the 'ca-bundle.trust.p11-kit' file - Search for "AddTrust External Root"
- Delete or comment ("#") out the entire block for AddTrust External Root
- Remove all these lines:
[p11-kit-object-v1] label: "AddTrust External Root" class: x-certificate-extension object-id: 2.5.29.37 value: "0 %06%03U%1d%25%01%01%ff%04%160%14%06%08%2b%06%01%05%05%07%03%04%06%08%2b%06%01%05%05%07%03%01" modifiable: false -----BEGIN PUBLIC KEY----- MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAt/caM+byAAQtOeBOW+0f vGwPzbX6I7bO3psRM5ekKUx9k5+9SryT7QMa44/P5W1QWtaXKZRagLBJetsulf24 yr83OC0ePpFBrXBWx/BPP+gynnTKyJBU6cZfD3idmkA8Dqxhql4Uj56HoWpQ3Nea Tq8Fs6ZxlJxxs1BgCscTnTgHhgKo6ahpJhiQq0ywTyOrOk+E2N/On+Fpb7vXQtdr ROTHre5tQV9yWnEIN7N5ZaRZoJQ39wAvDcKSctrQOHLbFKhFxF0qfbe01sTurM0T RLfJK91DACX6YblpalgjEbenM49WdVn1zSnXRrcKK2W200JvFbK4e/vv6V1T1TRa JwIDAQAB -----END PUBLIC KEY----- [p11-kit-object-v1] label: "AddTrust External Root" trusted: true nss-mozilla-ca-policy: true modifiable: false -----BEGIN CERTIFICATE----- MIIENjCCAx6gAwIBAgIBATANBgkqhkiG9w0BAQUFADBvMQswCQYDVQQGEwJTRTEU MBIGA1UEChMLQWRkVHJ1c3QgQUIxJjAkBgNVBAsTHUFkZFRydXN0IEV4dGVybmFs IFRUUCBOZXR3b3JrMSIwIAYDVQQDExlBZGRUcnVzdCBFeHRlcm5hbCBDQSBSb290 MB4XDTAwMDUzMDEwNDgzOFoXDTIwMDUzMDEwNDgzOFowbzELMAkGA1UEBhMCU0Ux FDASBgNVBAoTC0FkZFRydXN0IEFCMSYwJAYDVQQLEx1BZGRUcnVzdCBFeHRlcm5h bCBUVFAgTmV0d29yazEiMCAGA1UEAxMZQWRkVHJ1c3QgRXh0ZXJuYWwgQ0EgUm9v dDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALf3GjPm8gAELTngTlvt H7xsD821+iO2zt6bETOXpClMfZOfvUq8k+0DGuOPz+VtUFrWlymUWoCwSXrbLpX9 uMq/NzgtHj6RQa1wVsfwTz/oMp50ysiQVOnGXw94nZpAPA6sYapeFI+eh6FqUNzX mk6vBbOmcZSccbNQYArHE504B4YCqOmoaSYYkKtMsE8jqzpPhNjfzp/haW+710LX a0Tkx63ubUFfclpxCDezeWWkWaCUN/cALw3CknLa0Dhy2xSoRcRdKn23tNbE7qzN E0S3ySvdQwAl+mG5aWpYIxG3pzOPVnVZ9c0p10a3CitlttNCbxWyuHv77+ldU9U0 WicCAwEAAaOB3DCB2TAdBgNVHQ4EFgQUrb2YejS0Jvf6xCZU7wO94CTLVBowCwYD VR0PBAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wgZkGA1UdIwSBkTCBjoAUrb2YejS0 Jvf6xCZU7wO94CTLVBqhc6RxMG8xCzAJBgNVBAYTAlNFMRQwEgYDVQQKEwtBZGRU cnVzdCBBQjEmMCQGA1UECxMdQWRkVHJ1c3QgRXh0ZXJuYWwgVFRQIE5ldHdvcmsx IjAgBgNVBAMTGUFkZFRydXN0IEV4dGVybmFsIENBIFJvb3SCAQEwDQYJKoZIhvcN AQEFBQADggEBALCb4IUlwtYj4g+WBpKdQZic2YR5gdkeWxQHIzZlj7DYd7usQWxH YINRsPkyPef89iYTx4AWpb9a/IfPeHmJIZriTAcKhjW88t5RxNKWt9x+Tu5w/Rw5 6wwCURQtjr0W4MHfRnXnJK3s9EK0hZNwEGe6nQY1ShjTK3rMUUKhemPR5ruhxSvC Nr4TDea9Y355e6cJDUCrat2PisP29owaQgVR1EX1n6diIWgVIEM8med8vSTYqZEX c4g/VhsxOBi0cQ+azcgOno4uG+GMmIPLHzHxREzGBHNJdmAPx/i9F4BrLunMTA5a mnkPIAou1Z5jJh5VkpTYghdae9C8x49OhgQ= -----END CERTIFICATE-----
- Save the file
- Run the command
update-ca-trust