13

I have an Ubuntu 14.04.5 LTS installation. It just recently became unable to verify modern Let's Encrypt certificates. The current version of ca-certificates is 20160104ubuntu0.14.04.1. apt search ca-certificates tells me that the package is upgradeable to 20170717~14.04.2 from trusty-updates, but I think that's probably not modern enough.

I see ca-certificates version 20210119~18.04.2 in bionic-updates. Is it possible to install this without disrupting the system? Is there a better way? Thanks.

user1389892
  • 141
  • 1
  • 1
  • 4
  • 2
    Unfortunately 14.04 is not supported on this site. If you have [ESM with Canonical](https://ubuntu.com/blog/ubuntu-14-04-and-16-04-lifecycle-extended-to-ten-years) then they may be able to provide an accurate answer – matigo Sep 30 '21 at 15:37
  • 2
    Only supported releases of Ubuntu (*standard or public support*) are on-topic for this site. Ubuntu 14.04 LTS is EOL (*end-of-life*) thus off-topic, and Ubuntu 14.04 ESM is in *extended* support and only supported by Canonical via Ubuntu Advantage thus also off-topic here. Refer https://askubuntu.com/help/on-topic https://help.ubuntu.com/community/EOLUpgrades https://fridge.ubuntu.com/2019/05/02/ubuntu-14-04-trusty-tahr-reached-end-of-life-on-april-25-2019-esm-available/ – guiverc Sep 30 '21 at 22:12

1 Answers1

15

You can install the latest stable certs from source (you'll need a working wget and unxz or at least a way of copying the uncompressed .tar file or its contents onto your target server (perhaps just scp -r once you've extracted it locally):

# Ensure dependencies
sudo apt -y install make tar xz-utils wget

# Make a place to build it in
mkdir -p ~/src
cd ~/src
wget https://launchpad.net/ubuntu/+archive/primary/+sourcefiles/ca-certificates/20210119~20.04.2/ca-certificates_20210119~20.04.2.tar.xz    
tar -xJf ca-certificates_20210119~20.04.2.tar.xz

# Now build and install
cd ca-certificates-20210119~20.04.1
make
sudo make install

# You might want to run this interactively to ensure
# you can select the ISRG Root X1
# in which case, just run: sudo dpkg-reconfigure ca-certificates
sudo dpkg-reconfigure -fnoninteractive ca-certificates
sudo update-ca-certificates
/usr/bin/c_rehash /etc/ssl/certs
questionto42
  • 206
  • 1
  • 2
  • 9
jaygooby
  • 266
  • 3
  • 8
  • I ran through this and it generated a lot of new certificates in `/usr/share/ca-certificates/mozilla`, as well as `/etc/ssl/certs/ca-certificates.crt`. But `curl` still fails to validate certificates, even with `--cacert /etc/ssl/certs/ca-certificates.crt` – Daniel Buckmaster Oct 01 '21 at 00:10
  • 2
    This answer was very helpful. First, in `sbin/update-ca-certificates`, I had to change `openssl rehash` to `c_rehash` (I studied an older version of `ca-certificates`). I also had to do `dpkg-reconfigure ca-certificates` (interactively) to enable the Let's Encrypt ISRG X1 certs. Then I did `update-ca-certificates --fresh --verbose`. Make sure `/etc/ssl/certs` has some `ISRG Root X1` symlinks. – user1389892 Oct 01 '21 at 08:29
  • 1
    @daniel-buckmaster; check a couple of things... Do you have `ls -l /etc/ssl/certs/ISRG_Root_X1.pem` if you don't, then try the interactive `dpkg-reconfigure` suggested above. If you do, ensure you *don't* have `/etc/ssl/certs/DST_Root_CA_X3.pem` (the expired cert) - again you can interactively deselect it in `dpkg-reconfigure ca-certificates`. What openssl library is curl using? Run `curl -V` and it will show you. Hopefully it's a 1.0.x like `OpenSSL/1.0.1f` and not a `OpenSSL/0.9.7` – jaygooby Oct 01 '21 at 08:47
  • 1
    I followed all the steps above, but `curl` was still complaining. In my case, `openssl c_rehash` command was failing in the `update-ca-certificates` script. I tried force reinstalling the `openssl` apt package but that didn't help. What finally solved my problem is `cd /etc/ssl/certs` then running the rehash script directly: `/usr/bin/c_rehash`. – ttk Oct 01 '21 at 19:52
  • Thanks @user1389892 for this question. – Ariel Kogan Oct 12 '21 at 11:35
  • 1
    Let's Encrypt have an announcement [page](https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/) with links to resources. – Ariel Kogan Oct 12 '21 at 11:41
  • 8
    If you want to make less changes and only remove the expired certificate ([workaround 1](https://www.openssl.org/blog/blog/2021/09/13/LetsEncryptRootCertExpire/) suggested by OpenSSL), you can run these commands: `cp /etc/ca-certificates.conf /etc/ca-certificates.conf.orig` `cat /etc/ca-certificates.conf.orig | sed 's|mozilla/DST_Root_CA_X3.crt|!mozilla//DST_Root_CA_X3.crt|g' > /etc/ca-certificates.conf` `dpkg-reconfigure -fnoninteractive ca-certificates` – Ariel Kogan Oct 12 '21 at 11:41
  • 2
    @ArielKogan's comment should be a valid answer. – Arcobaleno Oct 13 '21 at 10:01
  • I've tried all of these steps but I still get a `verify error:num=20:unable to get local issuer certificate` error when I run `openssl s_client` on my client server, trying to verify with another remote server. – alexw Oct 16 '21 at 03:53
  • @alexw what version does `openssl version` show? – jaygooby Oct 16 '21 at 16:42
  • @jaygooby I upgraded to 1.1.1k, which it now shows. Apparently [this message is to be expected](https://community.letsencrypt.org/t/struggling-to-get-new-isrg-root-certificate-to-be-recognized-in-ubuntu-16/163251), and I just had to wait a little while for the alternate/short chain to kick in. – alexw Oct 17 '21 at 01:26
  • Works also in a Dockerfile (no sudo, add RUN at each line start, perhaps add `WORKDIR /src` after mkdir. – questionto42 Dec 23 '21 at 13:34