Amazon AMIs failing to connect to backends; modifying ca-bundle

I started a VM of this type, logged in, and checked the OpenSSL version:

$ openssl version
OpenSSL 1.0.2k-fips  26 Jan 2017

Per /policies/releasestrat.html, 1.0.2 is no longer supported. Would you mind filing a support ticket with Amazon to upgrade the OpenSSL version in their AMI images?

Yes, or rather the other way around. Since your system has ISRG Root X1 in its trust store, OpenSSL should simply ignore the cross-signed version of it (signed by DST Root CA X3) that shows up in certificate chains. However, OpenSSL 1.0.2 doesn't properly ignore the cross-signature. Instead it throws an error! That behavior is fixed in OpenSSL 1.1.0.

2 Likes