From lucasm at ohio.edu  Fri Oct  1 10:47:36 2021
From: lucasm at ohio.edu (Lucas, Mark)
Date: Fri, 1 Oct 2021 14:47:36 +0000
Subject: [LON-CAPA-admin] LON-CAPA on CentOS 7 and letsencrypt.org SSL
 certs
In-Reply-To: <CH0PR12MB51389C2C2D5D95CF72E55EC4B6AB9@CH0PR12MB5138.namprd12.prod.outlook.com>
References: <CH0PR12MB51389C2C2D5D95CF72E55EC4B6AB9@CH0PR12MB5138.namprd12.prod.outlook.com>
Message-ID: <FF4A422E-8550-4E44-88E7-6C2BA93DDF56@ohio.edu>

Stuart,

Does this also apply to RHEL 7?

Thanks,
Mark

> On Sep 30, 2021, at 9:05 PM, Raeburn, Stuart via LON-CAPA-admin <lon-capa-admin at mail.lon-capa.org> wrote:
> 
> Hi,
> 
> If you run LON-CAPA on CentOS 7, and you have not already done so, then you should update the ca-certificates package to rev. 2021.2.50-72.el7_9 (released September 23rd). 
> 
> This can be done using:
> 
> yum update ca-certificates
> 
> This is required if you are using an Apache/SSL certificate from letsencrypt.org on the server itself (with mod_ssl also installed).  
> 
> If you use SSL certificates signed by a different certificate authority, or you don't use Apache/SSL, this is still required if you would like to be able to replicate content from other LON-CAPA nodes which themselves use an Apache/SSL certificate from letsencrypt.org.
> 
> The reason why this is needed is that letsencrypt.org had used a ?cross-signature? from the DST Root CA X3 root certificate to support older devices, and the X3 certificate expired at 10 am EDT today, September 30th.  Modern browsers and devices trust letsencrypt.org's ISRG Root X1 certificate which has not expired.
> 
> Replication of content in LON-CAPA, which uses perl-libwww-perl 6 (i.e., LWP) and openssl 1.0.2, will fail on CentOS 7 if the expired X3 certificate is still present as one of the trusted certificates.  By updating ca-certificates to rev. 2021.2.50-72.el7_9 the X3 certificate will be removed.
> 
> If this command:
> 
> less /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem | grep 'DST Root CA X3'
> 
> returns: 
> # DST Root CA X3
> 
> then the expired Root CA is still present.
> 
> 
> Stuart Raeburn
> LON-CAPA Academic Consortium
> _______________________________________________
> LON-CAPA-admin mailing list
> LON-CAPA-admin at mail.lon-capa.org
> https://nam11.safelinks.protection.outlook.com/?url=http%3A%2F%2Fmail.lon-capa.org%2Fmailman%2Flistinfo%2Flon-capa-admin&amp;data=04%7C01%7Clucasm%40ohio.edu%7C23d66f273c5b4a7e2a7508d9847798fe%7Cf3308007477c4a70888934611817c55a%7C0%7C0%7C637686472075680406%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&amp;sdata=oOhN%2BoC7PfnrFDrWgaXCu8W657o4LBfK0LjqwZ8Sf9I%3D&amp;reserved=0

-- 
Mark Lucas
Professor of Instruction
Department of Physics and Astronomy (College of Arts and Sciences)/Ohio Honors Program (Honors College)
252D Clippinger Lab, Ohio University, Athens, OH 45701
email: lucasm at ohio.edu
phone: (740)597-2984
Pronouns: He, Him, His







From raeburn at msu.edu  Fri Oct  1 13:39:12 2021
From: raeburn at msu.edu (Raeburn, Stuart)
Date: Fri, 1 Oct 2021 17:39:12 +0000
Subject: [LON-CAPA-admin] LON-CAPA on CentOS 7 and letsencrypt.org SSL
 certs
In-Reply-To: <FF4A422E-8550-4E44-88E7-6C2BA93DDF56@ohio.edu>
References: <CH0PR12MB51389C2C2D5D95CF72E55EC4B6AB9@CH0PR12MB5138.namprd12.prod.outlook.com>
 <FF4A422E-8550-4E44-88E7-6C2BA93DDF56@ohio.edu>
Message-ID: <CH0PR12MB513816B932D85A7B042CDCD7B6AB9@CH0PR12MB5138.namprd12.prod.outlook.com>

Mark,

Given that CentOS 7 is a downstream rebuild of RHEL 7, you should also update ca-certificates on  RHEL7, if you have not already done so.  

The same applies to Oracle Linux 7 and Scientific Linux 7, but SL7 does not appear to have included this yet in their updates -- see: scientificlinux.org/category/author/sl-errata/

Here is the redhat errata:
access.redhat.com/errata/RHBA-2021:3649

And this is the entry from the change log for ca-certificates-2021.2.50-72.el7_9:
2021-09-14 - Bob Relyea - 2021.2.50-72
- Fix expired certificate.
-    Removing:
-     # Certificate "DST Root CA X3"

And here is a perl script you could use to test things on your servers/VMs.
Save the following to a file (e.g., letsencrypt.pl, and then run using: perl letsencrypt.pl ) 

# start

use LWP::UserAgent();

my $ua=new LWP::UserAgent;
my $method = 'GET';
my $protocol = 'https';
my $host = 'loncapa.org';
my $file = 'letsencrypt.html';
my $request=new HTTP::Request( $method , $protocol . '://' . $host . '/' . $file );
my $response=$ua->request($request);
print $response->status_line."\n";

# end

If the response is 200 OK all is good.  
If it is 500, then you need to update ca-certificates.


Stuart Raeburn
LON-CAPA Academic Consortium

________________________________________
From: Lucas, Mark <lucasm at ohio.edu>
Sent: Friday, October 1, 2021 10:47 AM
To: Raeburn, Stuart; list about administration and system updating
Subject: Re: [LON-CAPA-admin] LON-CAPA on CentOS 7 and letsencrypt.org SSL certs

Stuart,

Does this also apply to RHEL 7?

Thanks,
Mark

> On Sep 30, 2021, at 9:05 PM, Raeburn, Stuart via LON-CAPA-admin <lon-capa-admin at mail.lon-capa.org> wrote:
>
> Hi,
>
> If you run LON-CAPA on CentOS 7, and you have not already done so, then you should update the ca-certificates package to rev. 2021.2.50-72.el7_9 (released September 23rd).
>
> This can be done using:
>
> yum update ca-certificates
>
> This is required if you are using an Apache/SSL certificate from letsencrypt.org on the server itself (with mod_ssl also installed).
>
> If you use SSL certificates signed by a different certificate authority, or you don't use Apache/SSL, this is still required if you would like to be able to replicate content from other LON-CAPA nodes which themselves use an Apache/SSL certificate from letsencrypt.org.
>
> The reason why this is needed is that letsencrypt.org had used a ?cross-signature? from the DST Root CA X3 root certificate to support older devices, and the X3 certificate expired at 10 am EDT today, September 30th.  Modern browsers and devices trust letsencrypt.org's ISRG Root X1 certificate which has not expired.
>
> Replication of content in LON-CAPA, which uses perl-libwww-perl 6 (i.e., LWP) and openssl 1.0.2, will fail on CentOS 7 if the expired X3 certificate is still present as one of the trusted certificates.  By updating ca-certificates to rev. 2021.2.50-72.el7_9 the X3 certificate will be removed.
>
> If this command:
>
> less /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem | grep 'DST Root CA X3'
>
> returns:
> # DST Root CA X3
>
> then the expired Root CA is still present.
>
>
> Stuart Raeburn
> LON-CAPA Academic Consortium
> _______________________________________________
> LON-CAPA-admin mailing list
> LON-CAPA-admin at mail.lon-capa.org
> https://urldefense.com/v3/__https://nam11.safelinks.protection.outlook.com/?url=http*3A*2F*2Fmail.lon-capa.org*2Fmailman*2Flistinfo*2Flon-capa-admin&amp;data=04*7C01*7Clucasm*40ohio.edu*7C23d66f273c5b4a7e2a7508d9847798fe*7Cf3308007477c4a70888934611817c55a*7C0*7C0*7C637686472075680406*7CUnknown*7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0*3D*7C3000&amp;sdata=oOhN*2BoC7PfnrFDrWgaXCu8W657o4LBfK0LjqwZ8Sf9I*3D&amp;reserved=0__;JSUlJSUlJSUlJSUlJSUlJSUlJSU!!HXCxUKc!lAl_tc8nohEhUw-9d38AX7R7qHudIzv0oCgatqi9iOA1numd_DIr1M8bgsSH9w$

--
Mark Lucas
Professor of Instruction
Department of Physics and Astronomy (College of Arts and Sciences)/Ohio Honors Program (Honors College)
252D Clippinger Lab, Ohio University, Athens, OH 45701
email: lucasm at ohio.edu
phone: (740)597-2984
Pronouns: He, Him, His