As announced ( OpenSSL Client Compatibility Changes for Let’s Encrypt Certificates ) expiration of DST Root CA X3 causing issues for clients with OpenSSL < 1.1.0. As there are still some very old Centos/RHEL 6 Servers (openssl-1.0.1e-58.el6_10.x86_64) out there (especially some of our VM Hosting/Hous…

@ Osiris - thx - it's working like a charm with the manually compiled RPMs! :wink: For the sake of completeness, here again the complete workflow to solve the DST Root CA X3 expiration problem with Centos / RHEL 6 ... yum install wget yum install krb5-devel zlib-devel lksctp-tools-devel util-linux…

Thanks for the help folks, I still get a curious error when trying to update/install the rpm (existing latest openssl in centos 6 is 1.0.1e)... error: Failed dependencies: openssl-devel = 1.0.1e-58.el6_10 is needed by (installed) openssl-static-1.0.1e-58.el6_10.x86_64 However, yum install openssl…

You won't need to install the source RPM, but that message indicates that your existing version of openssl-static doesn't like that you are upgrading openssl-devel and trying to leave it back on the old version, so the correct fix is just to install openssl-static in the same command like you did!

Those work nicely for me, thank you!

For all interested parties. I've modified openssl.spec to incorporate shared files back into monolitic RPM file to match EL6 package contents. URL for corresponding binary and source packages (openssl and ca-certificates) + openssl.spec is https://server-support.co/openssl-el6/

I have problem with manually compiled RPMs on centos 6. # rpm -U openssl-libs-1.0.2k-21.el6.x86_64.rpm openssl-1.0.2k-21.el6.x86_64.rpm error: Failed dependencies: openssl = 1.0.1e-58.el6_10 is needed by (installed) openssl-devel-1.0.1e-58.el6_10.x86_64 openssl = 1.0.1e-58.el6_10 is needed by (inst…

add the devel and perl RPM to the "rpm -U" call ... they are all there ... :wink:

Thank you very much for the summation @futureweb ! For openssl update needed to remove a python-libs-2.6.6-68.el6_10.i686 package from 6.10 @updates repo, as it had a fixed dependency that prevented the openssl install. It removed cleanly though, nothing using it apparently. yum remove python-libs-…

Signed up just to say thanks. The comments in this thread are pure gold. @futureweb incorporated the comments from many in this thread into a perfect post on building the openssl & ca-certificate packages in post #73 . I happened to load these into Spacewalk, and yum is smart enough to install the op…

Hi @yaylife and welcome to the LE community forum :slight_smile: [image] yaylife: Signed up just to say thanks. I can't think of a better compliment :+1:

Your work is greatly appreciated Andreas

RHEL/CentOS 6 OpenSSL client compatibility after DST Root CA X3 expiration

Help

orangepizza October 18, 2021, 8:22pm 84

if it doen'st care about self-sign then would it need to keep same issuer? not sure intermediate from unknown issuer in trust store would work though

Topic		Replies	Views
RHEL/CentOS 7 OpenSSL client compatibility after new chain Help	44	16947	October 9, 2021
Openssl is unable to get local issuer certificate ever since DST Root X3 expired Help	29	23793	January 23, 2022
One of these certs is not like the others -DST Root CA X3 breaking antique hosts Help	14	1166	December 26, 2023
Help thread for DST Root CA X3 expiration (September 2021) Help	720	167531	November 3, 2022
Correct ca bundle to use Issuance Tech	70	12007	November 9, 2021

RHEL/CentOS 6 OpenSSL client compatibility after DST Root CA X3 expiration

Related topics