[LON-CAPA-admin] LON-CAPA on CentOS 7 and letsencrypt.org SSL certs

Raeburn, Stuart raeburn at msu.edu
Thu Sep 30 21:05:36 EDT 2021


If you run LON-CAPA on CentOS 7, and you have not already done so, then you should update the ca-certificates package to rev. 2021.2.50-72.el7_9 (released September 23rd). 

This can be done using:

yum update ca-certificates

This is required if you are using an Apache/SSL certificate from letsencrypt.org on the server itself (with mod_ssl also installed).  

If you use SSL certificates signed by a different certificate authority, or you don't use Apache/SSL, this is still required if you would like to be able to replicate content from other LON-CAPA nodes which themselves use an Apache/SSL certificate from letsencrypt.org.

The reason why this is needed is that letsencrypt.org had used a “cross-signature” from the DST Root CA X3 root certificate to support older devices, and the X3 certificate expired at 10 am EDT today, September 30th.  Modern browsers and devices trust letsencrypt.org's ISRG Root X1 certificate which has not expired.

Replication of content in LON-CAPA, which uses perl-libwww-perl 6 (i.e., LWP) and openssl 1.0.2, will fail on CentOS 7 if the expired X3 certificate is still present as one of the trusted certificates.  By updating ca-certificates to rev. 2021.2.50-72.el7_9 the X3 certificate will be removed.

If this command:

less /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem | grep 'DST Root CA X3'

# DST Root CA X3

then the expired Root CA is still present.

Stuart Raeburn
LON-CAPA Academic Consortium

More information about the LON-CAPA-admin mailing list