Hello Team CentOs,
I found a vulnerability on a web server associated with the certificate "AddTrust External CA Root" which expired on 30/05/2020 at 10:48.
I followed the procedure of the link below proposing to fix it by blacklisting it:
https://access.redhat.com/articles/5117881
Either:
# trust dump --filter "pkcs11:id=%ad%bd%98%7a%34%b4%26%f7%fa%c4%26%54%ef%03%bd%e0%24%cb%54%1a;type=cert" | openssl x509 | tee /etc/pki/ca-trust/source/blacklist/AddTrustExternalCARoot.pem
# update-ca-trust extract
But it did not work.
do you have an idea?
Thanks in advance
Certificate "AddTrust External CA Root" expired on 30/05/2020
Re: Certificate "AddTrust External CA Root" expired on 30/05/2020
Did you try just running yum update? I no longer see that certificate in the trust store with the latest ca-certificates package installed
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Re: Certificate "AddTrust External CA Root" expired on 30/05/2020
Hello TrevorH,
Thank you for your feedback and responsiveness.
I did not run the update because this is a production server.
Concerning the update of the "ca-certificates" package I have 2 questions about it:
1- Can it have an impact and generate conflicts?
2- When I check the validity of the certificates via "https://www.ssllabs.com/ssltest/" I see that the certificates are issued from the server on the one hand, and also that they are not in the Trust Store (See attached pictures).
Thank you in advance for your feedback
Thank you for your feedback and responsiveness.
I did not run the update because this is a production server.
Concerning the update of the "ca-certificates" package I have 2 questions about it:
1- Can it have an impact and generate conflicts?
2- When I check the validity of the certificates via "https://www.ssllabs.com/ssltest/" I see that the certificates are issued from the server on the one hand, and also that they are not in the Trust Store (See attached pictures).
Thank you in advance for your feedback
- Attachments
-
- ssllabs.com result 1
- AddTrust-1.png (60.88 KiB) Viewed 678 times
-
- ssllabs.com result 2
- AddTrust-2.png (58.84 KiB) Viewed 678 times
Re: Certificate "AddTrust External CA Root" expired on 30/05/2020
It is your production servers that need the updates most! Those are the ones that you will suffer most from having them compromised.I did not run the update because this is a production server.
The certificate you are complaning about no longer exists in the trust store once you update.i
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Re: Certificate "AddTrust External CA Root" expired on 30/05/2020
Hello Team,
I found the solution.
The problem was actually related to the certificate chain of one of my Vhost. I commented out all the lines related to the expired certificates and everything went back to normal.
Thanks again for your suggestions
I found the solution.
The problem was actually related to the certificate chain of one of my Vhost. I commented out all the lines related to the expired certificates and everything went back to normal.
Thanks again for your suggestions