Core/openssl package not honoring letsencrypt certs

As of 9/30/2021, openssl 1.0.2 is not working with letsencrypt certs until there’s a cacert update that deletes the one that expired today.

More information from is here : DST Root CA X3 Expiration (September 2021) - Let's Encrypt

There are few workarounds to this issue which are mentioned here : Old Let’s Encrypt Root Certificate Expiration and OpenSSL 1.0.2 - OpenSSL Blog

Essentially DST Root CA X3 needs to be removed as a workaround. Also, If the new ISRG Root X1 self-signed certificate isn’t already in the trust store, add it. We have an active discussion going in various channel on this and many workarounds have been proposed which seem to work for certain platforms/systems.

Some of them are mentioned below ( Thanks to many of the members in our community slack who have contributed to come up with the workarounds which have been pasted below)


sed -i '/DST Root CA X3/,+19d' /opt/chef/embedded/ssl/certs/cacert.pem

sed -i 's#^mozilla/DST_Root_CA_X3.crt#!mozilla/DST_Root_CA_X3.crt#' /etc/ca-certificates.conf && update-ca-certificates

Ubuntu 18.04+

apt install ca-certificates

(USN-5089-1: ca-certificates update | Ubuntu security notices | Ubuntu)


/usr/bin/sed -i '' '/DST Root CA X3/,/^$/ d' /opt/chef/embedded/ssl/certs/cacert.pem


((Get-Content -path cacerts.pem) -replace '(?s)DST Root CA X3.*?(END CERTIFICATE-----)', '') | | Set-Content -Path cacerts.pem

Hab team is actively working towards a fix for the package and will be posting information regarding the fix and the timeline in various slack channels.

1 Like

This topic was automatically closed after 10 days. New replies are no longer allowed.