Looks like CentOS 7 YUM update is available for up to date ca-certificates RPM which updates the system CA Trust store and removes the soon to expire CA cert.
yum list updates -q
Updated Packages ca-certificates.noarch 2021.2.50-72.el7_9 updates
rpm -qa --changelog ca-certificates | head -n5
* Tue Sep 14 2021 Bob Relyea <rrelyea@redhat.com> - 2021.2.50-72
- Fix expired certificate.
- Removing:
- # Certificate "DST Root CA X3"
I just want to mention that system applications should be fine but if you deployed a custom Python application which uses requests in a virtualenv your ca-bundle will be provided by certifi and they still provide the expired certificate.
So if your Python application makes outgoing requests and tries to verify the TLS certificate you should pass the path to the system-wide CA bundle.
Great that this resolved the issue for you. However, as one should expect, haven't seen anywhere on new or existing CentOS 7 boxes that this was needed after updating ca-certificates.
If you look at the output of rpm -q --scripts ca-certificates you can see that running update-ca-trust is already managed by the package itself.
Just wanting to clarify in this thread that it is ordinarily not required to run update-ca-trust extract after updating.
Oh, I see they also provide a way to switch back from ZeroSSL to LetsEncrypt by changing the ACME_DEFAULT_CA='zerossl' back to ACME_DEFAULT_CA='letsencrypt'.
Thank you for posting that link, @eva2000!
CentOS 7 users with certbot from EPEL unfortunately cannot use --prefered-chain because the latest package in EPEL is only 1.11.0. @FelixSchwarz since you have been working on these packages, any idea what we can do to update certbot in EPEL7?
the problem is that certbot 1.12 requires Python 3. EPEL ships all certbot plugins this creates a pretty impressive dependency tree. I had two fix/tweak/adapt roughly two dozen packages to get all the required plugins. Unfortunately the project stalled about 4 months ago as I did not have enough free time to finish the transition but most pieces are actually in place already.
If you only need certbot (or certbot-nginx/a few select plugins) and you could try my COPR repo.
However that COPR was only meant for my packaging experiments so no actual deployment testing. The stuff that was built should work but this is really not tested like the usual certbot updates you get via EPEL. Also certbot-apache is not yet available in my copr (missing Python 3 version for augeas).
I have to admit that I missed the problem that certbot 1.11 does not support "--preferred-chain". If you need a fix within the next weeks the best way forward is likely to use a custom virtualenv and install certbot there until EPEL 7 packages are ready. If you only use packages which I already built successfully and the machine is not really critical you could try my COPR and check if everything is working.
I'll try to get the transition in the next weeks but there are a lot of packages involved so I can't promise a quick solution.
Well, unfortunately my Gentoo also requires the presence of Python 2.7 (so I can compile Firefox or Chromium I believe..),, but that's no excuse not to be able to install Python 3.x IMO.