Root CA Certificate expiring soon

shobhit · October 18, 2020, 8:40am

Hi Team,

I am using LE Boulder system in test environment to generate a leaf certificate for our use.
The root CA that boulder is using for signing seems to be expiring tomorrow.

openssl x509 -noout -text -in test/test-root.pem |grep Not
        Not Before: Oct 21 20:11:52 2015 GMT
        Not After : Oct 19 20:11:52 2020 GMT

The system by default seems to be using test/test-root.pem as root CA and test/test-ca2.pem as intermediate CA.

May i know when the root CA will be rotated? Or do i have to make any changes in any boulder configuration to point it to use some other CA?

Thanks in advance.

Osiris · October 18, 2020, 8:52am

You're using a local boulder instance, right? In that case you probably could just replace the root cert yourself: the private key is included, so you wouldn't even have to replace the intermediates if you'd generate a root with the same contents and the same keypair, but just set the "Not After" date in the far future.

Also, I'm not sure how your local root would be updated if it is updated in the Boulder source. How do you update Boulder anyway?

By the way: I'm reading on the Boulder Github page that test-root.pem isn't used any longer? https://github.com/letsencrypt/boulder/issues/4882

It seems the following update has moved the use of roots to the SoftHSM: https://github.com/letsencrypt/boulder/pull/4832

@jsha Could you perhaps shed some light on this? Should I open an issue for the upcoming expiry of test-root.pem? Or is that irrelevant due to the updates I mentioned above?

shobhit · October 18, 2020, 9:06am

Thanks for quick reponse!

Yes, i am using a local boulder instance. Ok, i will try replacing the root CA cert by generating one using the "test-root.key".

For updating, i am just pulling the updated source code from git and restarting my instance.
(Note: I still haven't tried with the updated git source, i just compared the test-root.pem with updated source and it seems to be same)

Osiris · October 18, 2020, 8:53am

See my update above, there might be something else at play here too.

_az · October 18, 2020, 10:52am

@Osiris is on the money, #4832 changed things so that when you run Boulder via docker-compose, it generates everything using the certificate ceremony tool, the configuration for which you can find here.

So if you intend to use the older release of Boulder, you will have to replace the static root CA and intermediates yourself.

Osiris · October 18, 2020, 10:54am

@_az But @shobhit doesn't run a docker instance, at least I think that's not the case, as he/she's pulling the code directly from git. Does that change anything?

_az · October 18, 2020, 10:58am

I think it's quite likely that OP is running Boulder via the docker-compose setup that comes with the repo. I can't imagine that anybody outside of the Let's Encrypt team has the slightest clue how to run it otherwise, there's an incredible number of moving parts.

shobhit · October 18, 2020, 11:43am

That's right. I am running it via docker-compose.

Something like below:
docker-compose run --use-aliases -e FAKE_DNS=127.0.0.1 --service-ports boulder ./start.py

I will try updating the root CA/Intermediate CA (locally generated one), and keep using the older Boulder release (starting it via docker-compose).
We will plan to update the boulder release later.

Thanks!

shobhit · October 19, 2020, 1:27pm

Update:
I was able to use newly generated root/intermediate CA and proceed with that.

Thanks for the help folks!

jsha · October 19, 2020, 5:05pm

Well spotted, @Osiris! You're correct, test-root.pem isn't used in our integration tests (or docker-compose up) anymore. It's still used in some unittests but we'd like to clean that up.