[LON-CAPA-admin] LON-CAPA on CentOS 7 and letsencrypt.org SSL certs

Lucas, Mark lucasm at ohio.edu
Fri Oct 1 10:47:36 EDT 2021


Stuart,

Does this also apply to RHEL 7?

Thanks,
Mark

> On Sep 30, 2021, at 9:05 PM, Raeburn, Stuart via LON-CAPA-admin <lon-capa-admin at mail.lon-capa.org> wrote:
> 
> Hi,
> 
> If you run LON-CAPA on CentOS 7, and you have not already done so, then you should update the ca-certificates package to rev. 2021.2.50-72.el7_9 (released September 23rd). 
> 
> This can be done using:
> 
> yum update ca-certificates
> 
> This is required if you are using an Apache/SSL certificate from letsencrypt.org on the server itself (with mod_ssl also installed).  
> 
> If you use SSL certificates signed by a different certificate authority, or you don't use Apache/SSL, this is still required if you would like to be able to replicate content from other LON-CAPA nodes which themselves use an Apache/SSL certificate from letsencrypt.org.
> 
> The reason why this is needed is that letsencrypt.org had used a “cross-signature” from the DST Root CA X3 root certificate to support older devices, and the X3 certificate expired at 10 am EDT today, September 30th.  Modern browsers and devices trust letsencrypt.org's ISRG Root X1 certificate which has not expired.
> 
> Replication of content in LON-CAPA, which uses perl-libwww-perl 6 (i.e., LWP) and openssl 1.0.2, will fail on CentOS 7 if the expired X3 certificate is still present as one of the trusted certificates.  By updating ca-certificates to rev. 2021.2.50-72.el7_9 the X3 certificate will be removed.
> 
> If this command:
> 
> less /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem | grep 'DST Root CA X3'
> 
> returns: 
> # DST Root CA X3
> 
> then the expired Root CA is still present.
> 
> 
> Stuart Raeburn
> LON-CAPA Academic Consortium
> _______________________________________________
> LON-CAPA-admin mailing list
> LON-CAPA-admin at mail.lon-capa.org
> https://nam11.safelinks.protection.outlook.com/?url=http%3A%2F%2Fmail.lon-capa.org%2Fmailman%2Flistinfo%2Flon-capa-admin&data=04%7C01%7Clucasm%40ohio.edu%7C23d66f273c5b4a7e2a7508d9847798fe%7Cf3308007477c4a70888934611817c55a%7C0%7C0%7C637686472075680406%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=oOhN%2BoC7PfnrFDrWgaXCu8W657o4LBfK0LjqwZ8Sf9I%3D&reserved=0

-- 
Mark Lucas
Professor of Instruction
Department of Physics and Astronomy (College of Arts and Sciences)/Ohio Honors Program (Honors College)
252D Clippinger Lab, Ohio University, Athens, OH 45701
email: lucasm at ohio.edu
phone: (740)597-2984
Pronouns: He, Him, His








More information about the LON-CAPA-admin mailing list