Certificate "AddTrust External CA Root" expired on 30/05/2020

General support questions
Post Reply
nalioui
Posts: 4
Joined: 2022/12/01 16:02:39

Certificate "AddTrust External CA Root" expired on 30/05/2020

Post by nalioui » 2022/12/01 16:09:55

Hello Team CentOs,

I found a vulnerability on a web server associated with the certificate "AddTrust External CA Root" which expired on 30/05/2020 at 10:48.

I followed the procedure of the link below proposing to fix it by blacklisting it:

https://access.redhat.com/articles/5117881

Either:

# trust dump --filter "pkcs11:id=%ad%bd%98%7a%34%b4%26%f7%fa%c4%26%54%ef%03%bd%e0%24%cb%54%1a;type=cert" | openssl x509 | tee /etc/pki/ca-trust/source/blacklist/AddTrustExternalCARoot.pem

# update-ca-trust extract

But it did not work.

do you have an idea?

Thanks in advance :)

User avatar
TrevorH
Site Admin
Posts: 33191
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Certificate "AddTrust External CA Root" expired on 30/05/2020

Post by TrevorH » 2022/12/01 17:38:00

Did you try just running yum update? I no longer see that certificate in the trust store with the latest ca-certificates package installed
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

nalioui
Posts: 4
Joined: 2022/12/01 16:02:39

Re: Certificate "AddTrust External CA Root" expired on 30/05/2020

Post by nalioui » 2022/12/05 11:52:10

Hello TrevorH,

Thank you for your feedback and responsiveness.

I did not run the update because this is a production server.

Concerning the update of the "ca-certificates" package I have 2 questions about it:

1- Can it have an impact and generate conflicts?

2- When I check the validity of the certificates via "https://www.ssllabs.com/ssltest/" I see that the certificates are issued from the server on the one hand, and also that they are not in the Trust Store (See attached pictures).

Thank you in advance for your feedback :)
Attachments
ssllabs.com result 1
ssllabs.com result 1
AddTrust-1.png (60.88 KiB) Viewed 557 times
ssllabs.com result 2
ssllabs.com result 2
AddTrust-2.png (58.84 KiB) Viewed 557 times

User avatar
TrevorH
Site Admin
Posts: 33191
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Certificate "AddTrust External CA Root" expired on 30/05/2020

Post by TrevorH » 2022/12/05 13:50:42

I did not run the update because this is a production server.
It is your production servers that need the updates most! Those are the ones that you will suffer most from having them compromised.

The certificate you are complaning about no longer exists in the trust store once you update.i
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

nalioui
Posts: 4
Joined: 2022/12/01 16:02:39

Re: Certificate "AddTrust External CA Root" expired on 30/05/2020

Post by nalioui » 2022/12/15 15:58:05

Hello Team,

I found the solution.

The problem was actually related to the certificate chain of one of my Vhost. I commented out all the lines related to the expired certificates and everything went back to normal.

Thanks again for your suggestions

Post Reply