[LON-CAPA-admin] Expiry of InCommon Certificate AddTrust External CA Root (5/30/2020)

Raeburn, Stuart raeburn at msu.edu
Sun May 31 16:11:23 EDT 2020

Hello all,

If you are using SSL certificates signed by InCommon for the Apache web server on your LON-CAPA server(s) you may be impacted by the expiration of the InCommon root certificate -- AddTrust External CA Root -- which expired Saturday, May 30, 2020, at 6:48 a.m EDT.

If you visit: whatsmychaincert.com
and enter the hostname of your LON-CAPA server, in the textbox, and push "Test"
you can find out if your Apache SSL certificate chain contains the expired root certificate.  

If an expired certificate is present in the chain you'll see the message:
"<your hostname> has a trusted chain containing an expired certificate. This chain will work with modern web browsers but may fail with older clients ..."

The presence of an expired certificate impacts LON-CAPA because a certificate chain containing one will prevent completion of internal web requests (by LWP):

The solution is to remove the expired certificate from the chain, and reload Apache.

For example, if your Apache configuration file (e.g., /etc/httpd/conf.d/ssl.conf on RedHat/CentOS/Scientific Linux) includes an entry for: SSLCertificateChainFile (i.e., an intermediate certificate), and if you received your signed SSL Certificate from InCommon, then you can download an intermediate certificate (expires 2024) from:

incommon.org/custom/certificates/repository/sha384 Intermediate cert.txt

(note the single space between sha384 and Intermediate and between Intermediate  and cert.txt).

save the file, and modify /etc/httpd/conf.d/ssl.conf (if necessary) so the path given for SSLCertificateChainFile is the path to the new intermediate certificate.

Then reload the Apache web server (as root) using:

service httpd reload.

Stuart Raeburn
LON-CAPA Academic Consortium

More information about the LON-CAPA-admin mailing list