AddTrust External CA Root expiration causing SSL certificate verification failures

Issue Description

As of May 30th 2020, the expiry of the Sectigo root certificate is impacting the validity of certain SSL certificates, resulting in certificate warnings in older browsers or verification and connection failures for applications.

Luckily the issue can be resolved in a simple fashion, though the solution varies dependent on if you are seeing the issue from the server or client side.

Server-side Fix

If you are receiving reports of certificate validity errors for your application, or you wish to be proactive with regards to the issue, then check your application using SSL Labs' site checker and check the Additional Certificates section to ensure the validity of those certificates. For those using Amazon load balancers to serve different domains than those served by the environment directly, it is advised to check the hostnames of both the load balancer(s) and application master instance, or check all known domains for the application, in order to ensure that all certificates are checked. Should you see warnings regarding those certificates, then visit What's My Chain Cert? and check the URLs again. If the chain is not valid, then you will be offered a valid chain certificate to download. In the Engine Yard dashboard use the SSL Certificates page to view your existing certificate and copy the existing SSL Certificate Key and SSL Certificate, then use these along with the new valid chain to create a new SSL certificate then install it on your environment, and, if in use, edit any Amazon CLB configuration or ALB endpoints to use the new certificate. Once done re-check your application via SSL Labs.

Client-side Fix

On Engine Yard stacks Stable-v5 and below OpenSSL 1.0.x or lower are in use, which rely on the expired certificate. This can lead to OpenSSL verification errors in your EY applications when connecting to third party servers utilising the expired certificate. To resolve the issue the expired certificate must be removed from the instances' certificate store, such that the instance is forced to source the new version of the certificate instead. To do this please action the following on all affected instances:

  1. Run sudo vim /etc/ca-certificates.conf
  2. Modify the line mozilla/AddTrust_External_Root.crt to !mozilla/AddTrust_External_Root.crt (note the exclamation point)
  3. Run update-ca-certificates

A custom Chef recipe to apply these changes to environments running the stable-v5 stack can be found here.

Comments

Article is closed for comments.