Hi all, The reason this is manifesting as a giant problem unexpectedly since Saturday and it did not only hit obscure ancient java programs etc. as Sectigo predicted, is:
SSL providers such as Namecheap SSLs.com (and probably many others) were issuing certificates good until mid-2021 with an expiring .ca-bundle file in the download zip! So anyone up until about new years was getting these files and installing expiring-in-may bundle certs onto their server along with their actual cet (expiring in 1 or 2 years usually). may 30th came along and that stopped working out so well for a LOT more users than expected............. Server side mitigation: This problem can/should be fixed on the server side by server administrators updating their CA certificate bundle: (i.e. SSLCACertificateFile or SSLCertificateChainFile if you use Apache) to replace the expired Comodo or Sectigo root certs with the correct non-expired ones. The correct bundle cert depends on who your SSL is signed by, but they can be found here: https://www.ssls.com/knowledgebase/sectigo-root-certificate-expiring-may-30-2020 and also here: https://support.sectigo.com/Com_KnowledgeDetailPage?Id=kA03l00000117LT However, Until all the servers are patched, or the add trust external CA cert is removed from the ca-certificates bundle, this will continue to explode for clients. Client side Mitigation: As specified here, mitigation on the client side is: - remove AddTrust_External_Root.crt from /etc/ca-certificates.conf - regenerate with update-ca-certificates -f -v Debian fix: Should be to update ca-certificates as per this bug and remove the expired cert. There is actually a reason to do this, as per the openSSL bug in question: https://rt.openssl.org/Ticket/Display.html?id=3359#txn-40958 "The current fix is to not have expired certificates in the trust store." So given the version of OpenSSL in stretch, the only sane fix at least for stretch (and Jessie LTS if still possible) is to remove that certificate. Many of these notes were gleaned from this reddit discussion thread: https://www.reddit.com/r/linux/comments/gshh70/sectigo_root_ca_expiring_may_not_be_handled_well/ which I just discovered now, after spending a weekend fixing up certs server side on hundreds of customer sites. Damn you, Namecheap!!! D.
