Confirm whether Amazon Linux trust ISRG Root X1

The cert compatibility page didn't mention Amazon Linux and Amazon Linux 2.

Does these two platforms trust ISRG Root X1?

I tried on Amazon Linux, seems like it doesn't, haven't tried on Amazon Linux 2 yet?

Well, I can confirm it's there on Amazon Linux 2, at least in the sense that curl https://valid-isrgrootx1.letsencrypt.org doesn't have any errors and the ISRG Root X1 certificate is in /etc/ssl/certs/ca-bundle.crt. You may need to be specific about what programs you're interested in, as many of them can be configured with exactly what trust store they should be pointed to.

I haven't tested Amazon Linux 1, though. It's already out of support, so I wouldn't be using it for anything that I cared about for security anyway.

I am kind of surprised to not see any information about the Red Hat based Linux distributions (like CentOS and Amazon Linux) on that certificate compatibility page. It may just be that nobody's tested it all yet or put together the pull request to update that page.

1 Like

Hey thanks for checking.

I have an Amazon Linux EC2 running and it's not accepting ISRG Root X1.

Last login: Tue May 25 16:39:01 2021 from 

       __|  __|_  )
       _|  (     /   Amazon Linux AMI
      ___|\___|___|

https://aws.amazon.com/amazon-linux-ami/2017.03-release-notes/
Amazon Linux version 2018.03 is available.
[ec2-user@ip- ~]$ curl https://valid-isrgrootx1.letsencrypt.org
curl: (60) Peer's Certificate issuer is not recognized.
More details here: https://curl.haxx.se/docs/sslcerts.html

Yeah would be nice if someone updates that page with some common Linux distros.

Happy to mark this as resolved.

EL 6.9+, 7.3+ and 8+ have ISRG Root X1. Or in terms of the compatibility page: EL >= 6 (with updates applied).

As EL 7 and 8 are still supported, they will also get ISRG Root X2 as soon as it's added to the Mozilla trust store. Just keep the ca-certificates RPM up to date.

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.