Xen project Mailing List

[XEN PATCH 3/4] automation: Remove expired root certificates used to be used by let's encrypt

From: Anthony PERARD <anthony.perard@xxxxxxxxxx>

Date: Wed, 15 Feb 2023 12:02:07 +0000

Authentication-results: esa4.hc3370-68.iphmx.com; dkim=none (message not signed) header.i=none

Cc: Anthony PERARD <anthony.perard@xxxxxxxxxx>, Doug Goldstein <cardoe@xxxxxxxxxx>, Stefano Stabellini <sstabellini@xxxxxxxxxx>

Delivery-date: Wed, 15 Feb 2023 12:09:14 +0000

Ironport-data: A9a23:VNORwa6eaakAH5J93igsWwxRtBfHchMFZxGqfqrLsTDasY5as4F+v jBOXDqGPauINmTxKNlzPoi0pxwPsZ7QyYU1SgFl/HphHi5G8cbLO4+Ufxz6V8+wwm8vb2o8t plDNYOQRCwQZiWBzvt4GuG59RGQ7YnRGvynTraCYnsrLeNdYH9JoQp5nOIkiZJfj9G8Agec0 fv/uMSaM1K+s9JOGjt8B5mr9VU+45wehBtC5gZlPaoS4QeH/5UoJMl3yZ+ZfiOQrrZ8RoZWd 86bpJml82XQ+QsaC9/Nut4XpWVTH9Y+lSDX4pZnc/DKbipq/0Te4Y5iXBYoUm9Fii3hojxE4 I4lWapc6+seFvakdOw1C3G0GszlVEFM0OevzXOX6aR/w6BaGpdFLjoH4EweZOUlFuhL7W5m5 9gJdzMJPy+5pcGEnq2lR+1ptvtyFZy+VG8fkikIITDxCP8nRdbIQrnQ5M8e1zA17ixMNa+AP YxDM2MpNUmeJUQVYT/7C7pn9AusrnD5bz1frkPTvact6nLf5AdwzKLsIJzefdniqcB9zxfF+ zqZpTqR7hcyEf+E4xyM6nWQpebNuXn6QYQwD7m936s/6LGU7jNKU0BHPbehmtGph0j7V99BJ kg8/is1sbN05EGtVsP6XRCzvDiDpBF0c9FZCeE95SmGw7DY5AvfDW8BJhZac8AvvsIyQT0s1 3eKksnvCDgpt6eaIU9x7Z/N82n0Y3JMazZfO2ldF1BtD8TfTJ8bnDbeEdVnQZGPrP7HRy7uz jSPnBdvvuBG5SIU7JmT8VfCijOqg5HGSA8p+wnaNl6YAhNFiJ2NPNLxtwWChRpUBMPAFwTa4 iBY8ySLxLpWZaxhghBhVwnk8FuBw/+eeAPRjld0d3XK32T8oiXzFWy8DdwXGauIDirmUWWyC KMwkVkLjHO2AJdMRfUvC25WI5pC8EQYPY65Ps04l/IXCnSLSCeJ/Tt1eWmb1H33nU4nnMkXY MnEL539XChAWP43llJaotvxN5dxnkjSIkuJGPjGI+mPi+LCNBZ5t59bWLdxUgzJxPzd+1iEm zquH8CL1w9eQIXDjtr/qOYuwaQxBSFjX/je8pUHHtNv1yI6QAnN/deNm+J+E2Gk9owJ/tr1E oaVBhcHkgCl3yCccW1nqBlLMdvSYHq2llpjVQREALpi8ydLjVqHhEvHS6YKQA==

Ironport-hdrordr: A9a23:p1uNsq+0eO/YHcYejrxuk+DnI+orL9Y04lQ7vn2ZhyYlC/Bw9v re5MjzsCWftN9/YgBEpTntAtjjfZqYz+8X3WBzB9aftWvdyQ+VxehZhOOI/9SjIU3DH4VmpM BdmsZFebvN5JtB4foSIjPULz/t+ra6GWmT69vj8w==

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

While the Let's Encrypt root certificate ISRG_Root_X1.crt is already present, openssl seems to still check for the root certificate DST_Root_CA_X3.crt which has expired. This prevent https connections. Removing DST_Root_CA_X3 fix the issue. centos: found the filter by looking for "DST Root" in `trust list`. Signed-off-by: Anthony PERARD <anthony.perard@xxxxxxxxxx> --- automation/build/centos/7.2.dockerfile | 5 +++++ automation/build/centos/7.dockerfile | 5 +++++ automation/build/debian/jessie-i386.dockerfile | 5 +++++ automation/build/debian/jessie.dockerfile | 5 +++++ automation/build/ubuntu/trusty.dockerfile | 5 +++++ 5 files changed, 25 insertions(+) diff --git a/automation/build/centos/7.2.dockerfile b/automation/build/centos/7.2.dockerfile index 4baa097e31..27244fd002 100644 --- a/automation/build/centos/7.2.dockerfile +++ b/automation/build/centos/7.2.dockerfile @@ -50,3 +50,8 @@ RUN rpm --rebuilddb && \ bzip2 \ nasm \ && yum clean all + +# Remove expired certificate that Let's Encrypt certificates used to relie on. +# (Not needed anymore) +RUN trust extract --filter=pkcs11:id=%c4%a7%b1%a4%7b%2c%71%fa%db%e1%4b%90%75%ff%c4%15%60%85%89%10\;type=cert --format=pem-bundle /etc/pki/ca-trust/source/blacklist/DST_Root_CA_X3.pem && \ + update-ca-trust diff --git a/automation/build/centos/7.dockerfile b/automation/build/centos/7.dockerfile index e688a4cece..b370068e3c 100644 --- a/automation/build/centos/7.dockerfile +++ b/automation/build/centos/7.dockerfile @@ -49,3 +49,8 @@ RUN yum -y install \ nasm \ && yum clean all && \ rm -rf /var/cache/yum + +# Remove expired certificate that Let's Encrypt certificates used to relie on. +# (Not needed anymore) +RUN trust extract --filter=pkcs11:id=%c4%a7%b1%a4%7b%2c%71%fa%db%e1%4b%90%75%ff%c4%15%60%85%89%10\;type=cert --format=pem-bundle /etc/pki/ca-trust/source/blacklist/DST_Root_CA_X3.pem && \ + update-ca-trust diff --git a/automation/build/debian/jessie-i386.dockerfile b/automation/build/debian/jessie-i386.dockerfile index c617b6fbfb..84135230d0 100644 --- a/automation/build/debian/jessie-i386.dockerfile +++ b/automation/build/debian/jessie-i386.dockerfile @@ -51,3 +51,8 @@ RUN apt-get update && \ apt-get autoremove -y && \ apt-get clean && \ rm -rf /var/lib/apt/lists* /tmp/* /var/tmp/* + +# Remove expired certificate that Let's Encrypt certificates used to relie on. +# (Not needed anymore) +RUN sed -i '/mozilla\/DST_Root_CA_X3\.crt/d' /etc/ca-certificates.conf && \ + update-ca-certificates diff --git a/automation/build/debian/jessie.dockerfile b/automation/build/debian/jessie.dockerfile index 8918b26d75..d11dd48e17 100644 --- a/automation/build/debian/jessie.dockerfile +++ b/automation/build/debian/jessie.dockerfile @@ -50,3 +50,8 @@ RUN apt-get update && \ apt-get autoremove -y && \ apt-get clean && \ rm -rf /var/lib/apt/lists* /tmp/* /var/tmp/* + +# Remove expired certificate that Let's Encrypt certificates used to relie on. +# (Not needed anymore) +RUN sed -i '/mozilla\/DST_Root_CA_X3\.crt/d' /etc/ca-certificates.conf && \ + update-ca-certificates diff --git a/automation/build/ubuntu/trusty.dockerfile b/automation/build/ubuntu/trusty.dockerfile index b4b2f85e73..16d08ca931 100644 --- a/automation/build/ubuntu/trusty.dockerfile +++ b/automation/build/ubuntu/trusty.dockerfile @@ -49,3 +49,8 @@ RUN apt-get update && \ apt-get autoremove -y && \ apt-get clean && \ rm -rf /var/lib/apt/lists* /tmp/* /var/tmp/* + +# Remove expired certificate that Let's Encrypt certificates used to relie on. +# (Not needed anymore) +RUN sed -i 's#mozilla/DST_Root_CA_X3\.crt#!\0#' /etc/ca-certificates.conf && \ + update-ca-certificates -- Anthony PERARD

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.