[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[XEN PATCH v3 3/4] automation: Remove expired root certificates used to be used by let's encrypt

  • To: <xen-devel@xxxxxxxxxxxxxxxxxxxx>
  • From: Anthony PERARD <anthony.perard@xxxxxxxxxx>
  • Date: Fri, 24 Feb 2023 17:29:14 +0000
  • Authentication-results: esa2.hc3370-68.iphmx.com; dkim=none (message not signed) header.i=none
  • Cc: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, Anthony PERARD <anthony.perard@xxxxxxxxxx>, Doug Goldstein <cardoe@xxxxxxxxxx>, "Stefano Stabellini" <sstabellini@xxxxxxxxxx>
  • Delivery-date: Fri, 24 Feb 2023 17:29:34 +0000
  • Ironport-data: A9a23:6RPR6qlcfYMDshxa1vzFXybo5gyZJkRdPkR7XQ2eYbSJt1+Wr1Gzt xJMDzqDM/vYMWSjKNskO97l9BhTvcLdy9VnT1RurCk8ECMWpZLJC+rCIxarNUt+DCFhoGFPt JxCN4aafKjYaleG+39B55C49SEUOZmgH+a6U6icfHgqH2eIcQ954Tp7gek1n4V0ttawBgKJq LvartbWfVSowFaYCEpNg064gE4p7auaVA8w5ARkPqgR5gOGzBH5MbpETU2PByqgKmVrNrbSq 9brlNmR4m7f9hExPdKp+p6TnpoiG+O60aCm0xK6aoD66vRwjnVaPpUTbZLwXXx/mTSR9+2d/ f0W3XCGpaXFCYWX8AgVe0Ew/yiTpsSq8pefSZS0mZT7I0Er7xIAahihZa07FdRwxwp5PY1B3 e0cORogSi6EvsP18eOKUedhv54CC+C+aevzulk4pd3YJfMvQJSFSKTW/95Imjw3g6iiH96HO ZBfM2A2Kk2dPVsWYAx/5JEWxY9EglH2dSFYr1SE47I6+WHJwCR60aT3McqTcduPLSlQthfI/ T+arzilav0cHMaF8hWCr2qdv7PwgHL3cqspHaT7+sc/1TV/wURMUUZLBDNXu8KRmkO4Ht5SN UEQ0i4vtrQpslymSMHnWB+1q2LCuQQTM/JbGvc27wylwaPO7wGUQGMDS1Zpc8c6vcU7QTgr0 F6hnN7zAzFr9rqPRhqgGqy89G3of3JPdClbOHFCFFFeizX+nG0tpgPLX/xONJCyt/y2KGDB2 D6HlXIfoJxG2KbnyJ6H1VzAhjutoL3AQQg0+hjbUwqZ0+9pWGK2T9f2sAaGtJ6sOK7cFwDc5 yZcx6By+chUVfmweDqxrPLh9V1Dz9KMK3XijFFmBPHNHBz9qif4Lei8DNyTTXqF0/romxezP Sc/WisLvve/2UdGiocmC79d8+xwkcDd+S3ND5g4lOZmbJlrbxOg9ypzf0OW1G2FuBFyzv5mZ sjBLpv9XSdy5UFbIN2eHbp17FPW7npmmTO7qW7TknxLLoZylFbKEOxYYTNin8gy7b+eoRW9z jqsH5Li9vmra8WnOnO/2ddKfTg3wY0TWcieRzp/KrTSfWKL2QgJV5fs/F/WU9A6w/8Izr+Vp xlQmCZwkTLCuJEOEi3SAlgLVV8ldc8XQa4TVcD0AWuV5g==
  • Ironport-hdrordr: A9a23:FZq3Zq6fLKauuWrWPwPXwM7XdLJyesId70hD6qhwISY7TiX+rb HIoB17726MtN9/YhAdcLy7VZVoBEmsl6KdgrNhWYtKPjOHhILAFugLhuHfKn/bakjDH4ZmpM FdmsNFZuEYY2IXsS+D2njaL+od
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
While the Let's Encrypt root certificate ISRG_Root_X1.crt is already
present, openssl seems to still check for the root certificate
DST_Root_CA_X3.crt which has expired. This prevent https connections.

Removing DST_Root_CA_X3 fix the issue.

Signed-off-by: Anthony PERARD <anthony.perard@xxxxxxxxxx>
---

Notes:
    v3:
    - remove change to Debian Jessie containers, as we won't use them with
      HTTPS urls.
    
    v2:
    - remove unneeded changes to CentOS containers

 automation/build/ubuntu/trusty.dockerfile | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/automation/build/ubuntu/trusty.dockerfile 
b/automation/build/ubuntu/trusty.dockerfile
index b298a515c6..22e294c20c 100644
--- a/automation/build/ubuntu/trusty.dockerfile
+++ b/automation/build/ubuntu/trusty.dockerfile
@@ -47,3 +47,8 @@ RUN apt-get update && \
         apt-get autoremove -y && \
         apt-get clean && \
         rm -rf /var/lib/apt/lists* /tmp/* /var/tmp/*
+
+# Remove expired certificate that Let's Encrypt certificates used to relie on.
+# (Not needed anymore)
+RUN sed -i 's#mozilla/DST_Root_CA_X3\.crt#!\0#' /etc/ca-certificates.conf && \
+    update-ca-certificates
-- 
Anthony PERARD

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.