I have alpine linux container, and the services are not able to communicate over ssl, due to this issue.
I removed the DST Root CA X3 from the Trust Store, yet not able to communicate over ssl.
could you suggest any steps to be taken in alpine linux for this.
TIA
Hi Rudy,
I have 2 services running in kubernetes cluster in IBM Cloud.
The container running my service is based on Alpine Linux. I have an ingress which uses the letsencrypt certificate.
Service 1 is trying to hit Service 2 with the ingress URL, and getting SSL certificate expired error(The certificate says 84 days remaining in the Browser and in Cloud panel).
On further digging I came to know about this issue, So I Removed the DST Root CA X3 certificate from Trust store.
However, I am still getting this error.
Is the alpine linux having a cache from which its referring the old certificate ?
@thecode_jc
You may also need to remove the "DST Root CA X3" from the chain being served.
[note: the whole point of its' presence is to provide a path for older Androids to trust]
Thanks for the reply
I have removed the certificate from /etc/ca-certificates.conf by commenting DST Root CA X3 cert, and running update-ca-certificates, now the /etc/ssl/certs/ca-certificates.crt which contains all the certificates, does not have this certificate.
Do you know which other place we have a reference of the old certificate ?
Hi Rudy,
Thanks for the reply
I checked and found that the TLS request is getting terminated at nginx, so this changes will be needed at nginx ingress service, hence we are seeing this issue.
Have raised a query with the support team, as its a managed cluster.
Will update here once I get an answer
Thanks for the correct direction, I was able to remove the third certificate from the chain, which was signed by DST Root CA X3.
This certificate was stored in a kubernetes secret and I had to created a duplicate and modify the certificate chain, and recreate the nginx ingress definition