[Blink] Expired certificate for Ubuntu Focal Repository?

g4-lisz at tonarchiv.ch g4-lisz at tonarchiv.ch
Thu Nov 4 16:59:02 CET 2021 

On 04.11.21 15:29, Lars Noodén wrote:
> On 11/2/21 22:28, g4-lisz at tonarchiv.ch wrote:
>> Finally solved by installing Let's Encrypt R3 cert manually:
>>
>> sudo wget --no-check-certificate
>> https://letsencrypt.org/certs/lets-encrypt-r3.pem -O
>> /usr/local/share/ca-certificates/lets-encrypt-r3.crt
>>
>> sudo update-ca-certificates
>>
>
> Thanks.  I've now tried that and still get the certificate error.
>
> Digging, I see only four certificates expiring in 2021, two of which are
> still good for a while:
>
> $ find /usr/share/ \
>     -type f \
>     -name '*.crt' \
>     -exec sh -c "openssl x509 -text -noout -in {} ||echo {}>&2" \; \
> | awk '{$1=$1}
>     /Not After/ && $7 == 2021 {s=1;print}
>     s&&$1~/Subject/ {print $0,"\n"; s=0}'
>
> With slight formatting that results in this list:
>
>     Not After : Dec 15 08:00:00 2021 GMT
>     Subject: OU = GlobalSign Root CA - R2, O = GlobalSign,
>         CN = GlobalSign
>
>     Not After : Mar 17 18:33:33 2021 GMT
>     Subject: C = BM, O = QuoVadis Limited,
>         OU = Root Certification Authority,
>         CN = QuoVadis Root Certification Authority
>
>     Not After : Dec 15 08:00:00 2021 GMT
>     Subject: O = "Cybertrust, Inc", CN = Cybertrust Global Root
>
>     Not After : Apr 6 07:29:40 2021 GMT
>     Subject: C = FI, O = Sonera, CN = Sonera Class2 CA
>
> Should I just remove the expired certificates or do they need to be
> replaced?  Or is there a way to tell from Blink's logs which is the
> offending certificate?
>
> /Lars

These certificates shouldn't be connected to the Let's encrypt issue in
any way...

When running update-ca-certificate, did you get the reply "added 1"?

Make sure that this link is available:
/etc/ssl/certs/lets-encrypt-r3.pem ->
/usr/local/share/ca-certificates/lets-encrypt-r3.crt

Maybe try after running `update-ca-certificate -f` ("Fresh updates").

Ahhh wait, I also installed the Trustid X3 from here:
https://letsencrypt.org/certs/trustid-x3-root.pem.txt - Maybe this
together with the R3 did do the trick?

According to Let's Encrypt this is the actual DST Root CA X3 certificate.

More information about the Blink mailing list