Centos 6 - Let's Encrypt X3 Cert expiration Problem

General support questions
Post Reply
Hellkeeper
Posts: 52
Joined: 2005/07/10 22:16:30
Contact:

Centos 6 - Let's Encrypt X3 Cert expiration Problem

Post by Hellkeeper » 2021/10/01 09:01:58

Hello,
we all know - CentOS 6 is long EOL ... but lot's of Admins are struck by the X3 CA Cert expiration of Let's Encrypt Certs. See: https://community.letsencrypt.org/t/rhe ... ion/161032
Are there any chances that someone could release working ca-certificates / openssl Packages fixing the Problem?
thx, bye from Austria
Andy

Comrad
Posts: 7
Joined: 2015/04/02 17:23:04

Re: Centos 6 - Let's Encrypt X3 Cert expiration Problem

Post by Comrad » 2021/10/04 12:56:44

Yes, we need that too very much!
Fiddling with CA files is not enough.
OpenSSL needs to be patched or updated to 1.0.2.
For now I see only 2 ways:
1) update openssl to 1.0.2k from Centos 7:
https://community.letsencrypt.org/t/rhe ... /161032/22
or
2) to patch own openssl 1.0.1e like here (in Russian):
https://habr.com/ru/post/580092/#comment_23548598

I didn't try none of them still.

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Centos 6 - Let's Encrypt X3 Cert expiration Problem

Post by TrevorH » 2021/10/04 13:06:00

Updating to 1.0.2k will not help, the bug exists there too and Red Hat's fix for 1.0.2k in el7 was to remove the expired certificate from the bundle. You should be able to do that yourself if you can find the instructions to do so.

The real solution is get off CentOS 6.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

Hellkeeper
Posts: 52
Joined: 2005/07/10 22:16:30
Contact:

Re: Centos 6 - Let's Encrypt X3 Cert expiration Problem

Post by Hellkeeper » 2021/10/06 17:58:52

I don't want to encourage anyone to stay on Centos 6, on the contrary ... upgrade your servers to the latest version ... but ... this problem can be solved if really needed ...

See here: https://community.letsencrypt.org/t/rhe ... ion/161032

Build openssl RPM:

Code: Select all

yum install wget
yum install krb5-devel zlib-devel lksctp-tools-devel util-linux make gcc rpm-build
curl -o openssl-1.0.2k-21.el7_9.src.rpm https://vault.centos.org/7.9.2009/updates/Source/SPackages/openssl-1.0.2k-21.el7_9.src.rpm
rpm -i openssl-1.0.2k-21.el7_9.src.rpm
cd ~/rpmbuild/SOURCES/
sed -i 's/secure_getenv(/getenv(/g' *patch
cd ../SPECS/
sed -i 's/%patch68 -p1 -b .secure-getenv/#%patch68 -p1 -b .secure-getenv/g' openssl.spec
rpmbuild -bb openssl.spec
cd ../RPMS/x86_64
rpm -U openssl-libs-1.0.2k-21.el6.x86_64.rpm openssl-1.0.2k-21.el6.x86_64.rpm

Build ca-certificates RPM:

Code: Select all

yum install asciidoc java-1.6.0-openjdk
mkdir /dl/ca-cert; cd /dl/ca-cert;
curl -o ca-certificates-2020.2.41-65.1.el6_10.src.rpm https://vault.centos.org/6.10/updates/Source/SPackages/ca-certificates-2020.2.41-65.1.el6_10.src.rpm
rpm -i ca-certificates-2020.2.41-65.1.el6_10.src.rpm
curl -o ca-certificates-2021.2.50-72.el7_9.src.rpm https://vault.centos.org/7.9.2009/updates/Source/SPackages/ca-certificates-2021.2.50-72.el7_9.src.rpm
rpm2cpio ca-certificates-2021.2.50-72.el7_9.src.rpm | cpio -idmv
cp certdata.txt ~/rpmbuild/SOURCES/
sed -i 's/Version: 2020.2.41/Version: 2021.2.50/g' ~/rpmbuild/SPECS/ca-certificates.spec
rpmbuild -bb ca-certificates.spec
cd /root/rpmbuild/RPMS/noarch/
rpm -U ca-certificates-2021.2.50-65.1.el6.noarch.rpm
Andreas S.

ms217
Posts: 7
Joined: 2020/09/14 10:40:31

Re: Centos 6 - Let's Encrypt X3 Cert expiration Problem

Post by ms217 » 2021/12/30 21:19:32

I absolutely cannot recommend to upgrade the CentOS 6 OpenSSL package.
It is one of the base packages that shouldn't be upgraded because of the risk that one may draw their system to not work anymore as intended.

The base OpenSSL is required for many services like httpd, postfix, dovecot and so on....

CentOS 6 is dead. If you still want/need to use it then get at least ELT Support from Redhat or CloudLinux/Tuxcare.
For the time being, CloudLinux is so kind to push occasionally their ELTS 6 packages onto their FTP servers.

Instead of the OpenSSL 1.0.2k from EL7 "workaround" I would suggest to grab the CloudLinux 6 OpenSSL package: https://repo.cloudlinux.com/cloudlinux/ ... ls.src.rpm

Rebuild it preferably with mock. Backporting the content from ca-certificates (EL7) src.rpm should be fine, as long as one will use the ca-certificates.src.rpm from EL6.

Post Reply