Bob Proulx <invalid.nore...@gnu.org> writes:
> On September 30, 2021, as planned the DST Root CA X3 cross-sign has expired > for the Let's Encrypt trust chain. That was a normal and planned event. > However coupled with a verification error in the code of libraries > authenticating certificates it caused some clients that have not been updated > to fixed versions to have problems validating certificates. > > If you are experiencing invalid certificate chain problems with Let's Encrypt > certificates (not a Savannah problem) then please upgrade your client to the > latest security patches for your system. Please reference these resources as > to upstream information and discussion about the issue. > > * https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/ > * https://community.letsencrypt.org/t/production-chain-changes/150739/4 > * https://letsencrypt.org/docs/certificate-compatibility/ > * https://letsencrypt.org/certificates/ > * https://www.openssl.org/blog/blog/2021/09/13/LetsEncryptRootCertExpire/ > > > _______________________________________________ > Message sent via Savannah > https://savannah.nongnu.org/ With a little googling, seems like this is the way to remove the expired root cert on trisquel 8, suggested from https://www.openssl.org/blog/blog/2021/09/13/LetsEncryptRootCertExpire/ sudo sed -i"" 's/mozilla\/DST_Root_CA_X3.crt/!mozilla\/DST_Root_CA_X3.crt/' /etc/ca-certificates.conf sudo dpkg-reconfigure -fnoninteractive ca-certificates sudo update-ca-certificates