Cedric Rey <cerey@groupemutuel.ch> writes:
> rpm -q ca-certificates --changelog
> * Tue Sep 14 2021 Bob Relyea <rrelyea@redhat.com> - 2021.2.50-72
> - Fix expired certificate.
> - Removing:
> - # Certificate "DST Root CA X3"
> As you can see they just remove the old "DST Root CA X3" in the latest el7 ca-certificate version which correct the
problemI had before.
Wow, that is quite interesting, because they've propagated no such
update to my RHEL8 or Fedora 34 machines (mumble dnf update mumble
... nope, still not there). I speculate that that's because those
releases don't need it: they're both running openssl 1.1.1something,
which will do the right thing as soon as it finds the ISRG Root X1
certificate in the chain. But RHEL7 is still using openssl 1.0.2,
which will follow the chain to the DST cert and then spit up [1].
So evidently Red Hat has implemented OpenSSL's "workaround 1" [2]
on RHEL7, but they left well enough alone on newer platforms.
They could not have pushed out the DST cert removal much before
that cert expired, for fear of causing unnecessary problems
elsewhere. So that's why the seemingly short notice.
regards, tom lane
[1] https://community.letsencrypt.org/t/openssl-client-compatibility-changes-for-let-s-encrypt-certificates/143816
[2] https://www.openssl.org/blog/blog/2021/09/13/LetsEncryptRootCertExpire/