As announced ( OpenSSL Client Compatibility Changes for Let’s Encrypt Certificates ) expiration of DST Root CA X3 causing issues for clients with OpenSSL < 1.1.0. As there are still some very old Centos/RHEL 6 Servers (openssl-1.0.1e-58.el6_10.x86_64) out there (especially some of our VM Hosting/Hous…

@ Osiris - thx - it's working like a charm with the manually compiled RPMs! :wink: For the sake of completeness, here again the complete workflow to solve the DST Root CA X3 expiration problem with Centos / RHEL 6 ... yum install wget yum install krb5-devel zlib-devel lksctp-tools-devel util-linux…

My latest info was that CentOS/RHEL 6 ships OpenSSL 1.0.1, while 7 ships OpenSSL 1.0.2. The workarounds known for OpenSSL (removing the old root is one of them) only work on OpenSSL 1.0.2. Unless RHEL 6 has backported patches*, I'm not aware of anything you can do for those. The CentOS/RHEL 7 disc…

[image] futureweb: I'm puzzled on how to remove the old X3 (+adding the not expired X3) from those Centos/RHEL 6 Servers Note that there is no such thing as a "not expired X3". In principle, Let's Encrypt uses its own ISRG Root X1 root certificate. The only reason the LE default certificate c…

Have same issue. How can we install new root cert on Centos 6?

[image] Osiris: You probably need to add ISRG Root X1 to the root stores. If it's unpatched OpenSSL 1.0.1, this won't help. (If patches were available, I would hope they also include ISRG Root X1?)

[image] Osiris: You probably need to add ISRG Root X1 to the root stores. of course ... my fault ... corrected in posting ... thx! :slight_smile:

Removing the X3 from server fixed the issue here: First you need to update CA certificates to add the new X1 cert. yum update ca-certificates Then look for the old X3 sudo nano /etc/ssl/certs/ca-bundle.crt Search for "DST Root CA X3" in this file and delete the X3 certificate. Save file and …

[image] klingersoares1: Then look for the old X3 sudo nano /etc/ssl/certs/ca-bundle.crt Search for "DST Root CA X3" in this file and delete the X3 certificate. Save file and be happy already tried to manually delete the X3 - but had no effect on Centos 6 Test-Server ...

probably only if openssl also updated somehow? as on OpenSSL 1.0.1e-fips which is latest for Centos 6.10 it won't help

[image] Nummer378: If it's unpatched OpenSSL 1.0.1, this won't help. Even if DST Root CA X3 is removed, as suggested in this thread?

[image] Osiris: Even if DST Root CA X3 is removed, as suggested in this thread? Yes, for me it didn't help

RHEL/CentOS 6 OpenSSL client compatibility after DST Root CA X3 expiration

Help

futureweb September 30, 2021, 8:43pm 6

of course ... my fault ... corrected in posting ... thx!

Topic		Replies	Views
RHEL/CentOS 7 OpenSSL client compatibility after new chain Help	42	17010	October 9, 2021
Openssl is unable to get local issuer certificate ever since DST Root X3 expired Help	28	23881	December 24, 2021
One of these certs is not like the others -DST Root CA X3 breaking antique hosts Help	13	1173	November 26, 2023
Help thread for DST Root CA X3 expiration (September 2021) Help	665	168996	December 26, 2021
Correct ca bundle to use Issuance Tech	69	12139	October 10, 2021

RHEL/CentOS 6 OpenSSL client compatibility after DST Root CA X3 expiration

Related topics