AddTrust Root expiration fix

AddTrust Root expiration fix

With the root cert expiring for sectigo, the older linux distributions are not properly ignoring the cert.

I have seen this affect boxes which ran ubuntu 16.04, but there would be others too. Didn’t notice anything on Debian 10(buster)

As people have pointed out around, this is an openssl 1.0.2 bug. So even a system upgrade wouldn’t help the situation wouldn’t help, as this would require an actual distro upgrade.

Programs which don’t depend on openssl(like go binaries), won’t get affected by this. Services/client on Ruby/Jruby for example, on the other hand will have problems similar to curl.

The same goes for programs which do certificate pinning on their clients. Personally, saw a saas vendor dole out a fix for this yesterday for their python client, These clients would see external calls to other endpoints failing.

This is also a great twitter thread by Ryan on twitter

How curl fails in a typical affected client box

$ curl
curl: (60) server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none
More details here:

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). If the default
 bundle file isn't adequate, you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.

What should I do if I am affected by this?

echo -n > /usr/share/ca-certificates/mozilla/AddTrust_Low-Value_Services_Root.crt;\
echo -n > /usr/share/ca-certificates/mozilla/AddTrust_Public_Services_Root.crt; \
echo -n > /usr/share/ca-certificates/mozilla/AddTrust_Qualified_Certificates_Root.crt;\ 
echo -n > /usr/share/ca-certificates/mozilla/AddTrust_External_Root.crt;\

The above would empty out the contents of the file, you could further use chattr +i on the file to change the file attributes such that the above files are not modified from the state which we have set them to, but the bad part of the changing this attribute is that when do a system update, this file would not get updated.

sudo sed -i -e 's/^mozilla\/AddTrust_External_Root.crt/!mozilla\/AddTrust_External_Root.crt/' /etc/ca-certificates.conf
sudo update-ca-certificates --fresh