[XEN PATCH 3/4] automation: Remove expired root certificates used to be used by let's encrypt

Wed, 15 Feb 2023 04:09:21 -0800 

While the Let's Encrypt root certificate ISRG_Root_X1.crt is already
present, openssl seems to still check for the root certificate
DST_Root_CA_X3.crt which has expired. This prevent https connections.

Removing DST_Root_CA_X3 fix the issue.

centos: found the filter by looking for "DST Root" in `trust list`.

Signed-off-by: Anthony PERARD <anthony.per...@citrix.com>
---
 automation/build/centos/7.2.dockerfile         | 5 +++++
 automation/build/centos/7.dockerfile           | 5 +++++
 automation/build/debian/jessie-i386.dockerfile | 5 +++++
 automation/build/debian/jessie.dockerfile      | 5 +++++
 automation/build/ubuntu/trusty.dockerfile      | 5 +++++
 5 files changed, 25 insertions(+)

diff --git a/automation/build/centos/7.2.dockerfile 
b/automation/build/centos/7.2.dockerfile
index 4baa097e31..27244fd002 100644
--- a/automation/build/centos/7.2.dockerfile
+++ b/automation/build/centos/7.2.dockerfile
@@ -50,3 +50,8 @@ RUN rpm --rebuilddb && \
         bzip2 \
         nasm \
     && yum clean all
+
+# Remove expired certificate that Let's Encrypt certificates used to relie on.
+# (Not needed anymore)
+RUN trust extract 
--filter=pkcs11:id=%c4%a7%b1%a4%7b%2c%71%fa%db%e1%4b%90%75%ff%c4%15%60%85%89%10\;type=cert
 --format=pem-bundle /etc/pki/ca-trust/source/blacklist/DST_Root_CA_X3.pem && \
+    update-ca-trust
diff --git a/automation/build/centos/7.dockerfile 
b/automation/build/centos/7.dockerfile
index e688a4cece..b370068e3c 100644
--- a/automation/build/centos/7.dockerfile
+++ b/automation/build/centos/7.dockerfile
@@ -49,3 +49,8 @@ RUN yum -y install \
         nasm \
     && yum clean all && \
     rm -rf /var/cache/yum
+
+# Remove expired certificate that Let's Encrypt certificates used to relie on.
+# (Not needed anymore)
+RUN trust extract 
--filter=pkcs11:id=%c4%a7%b1%a4%7b%2c%71%fa%db%e1%4b%90%75%ff%c4%15%60%85%89%10\;type=cert
 --format=pem-bundle /etc/pki/ca-trust/source/blacklist/DST_Root_CA_X3.pem && \
+    update-ca-trust
diff --git a/automation/build/debian/jessie-i386.dockerfile 
b/automation/build/debian/jessie-i386.dockerfile
index c617b6fbfb..84135230d0 100644
--- a/automation/build/debian/jessie-i386.dockerfile
+++ b/automation/build/debian/jessie-i386.dockerfile
@@ -51,3 +51,8 @@ RUN apt-get update && \
         apt-get autoremove -y && \
         apt-get clean && \
         rm -rf /var/lib/apt/lists* /tmp/* /var/tmp/*
+
+# Remove expired certificate that Let's Encrypt certificates used to relie on.
+# (Not needed anymore)
+RUN sed -i '/mozilla\/DST_Root_CA_X3\.crt/d' /etc/ca-certificates.conf && \
+    update-ca-certificates
diff --git a/automation/build/debian/jessie.dockerfile 
b/automation/build/debian/jessie.dockerfile
index 8918b26d75..d11dd48e17 100644
--- a/automation/build/debian/jessie.dockerfile
+++ b/automation/build/debian/jessie.dockerfile
@@ -50,3 +50,8 @@ RUN apt-get update && \
         apt-get autoremove -y && \
         apt-get clean && \
         rm -rf /var/lib/apt/lists* /tmp/* /var/tmp/*
+
+# Remove expired certificate that Let's Encrypt certificates used to relie on.
+# (Not needed anymore)
+RUN sed -i '/mozilla\/DST_Root_CA_X3\.crt/d' /etc/ca-certificates.conf && \
+    update-ca-certificates
diff --git a/automation/build/ubuntu/trusty.dockerfile 
b/automation/build/ubuntu/trusty.dockerfile
index b4b2f85e73..16d08ca931 100644
--- a/automation/build/ubuntu/trusty.dockerfile
+++ b/automation/build/ubuntu/trusty.dockerfile
@@ -49,3 +49,8 @@ RUN apt-get update && \
         apt-get autoremove -y && \
         apt-get clean && \
         rm -rf /var/lib/apt/lists* /tmp/* /var/tmp/*
+
+# Remove expired certificate that Let's Encrypt certificates used to relie on.
+# (Not needed anymore)
+RUN sed -i 's#mozilla/DST_Root_CA_X3\.crt#!\0#' /etc/ca-certificates.conf && \
+    update-ca-certificates
-- 
Anthony PERARD

Reply via email to