Let’s Encrypt SSL根憑證過期處理
有個根憑證 DST Root CA X3 已於 2021 年 9 月 30 日到期
部份機器或設備可能不方便或無法單純透過更新解決 (無法重開、無法更新等)
server 本身使用 curl 也會被阻擋,而收到以下資訊
例如: slack webhook (slack.com 也是使用 Let’s Encrypt)
curl https://slack.com/
將拿到以下異常
curl: (60) server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none
More details here: http://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
先確認 openssl 版本不要太低 (1.1.x); 過低的話還是建議想辦法升級
openssl version
.
.
.
編輯、停止檢查已被棄用的根憑證
打開、編輯 /etc/ca-certificates.conf
檔案內找到 mozilla/DST_ACES_CA_X3.crt
開頭加上 !
e.g.
!mozilla/DST_ACES_CA_X3.crt
儲檔後執行
(更新機器本身憑證檔 /etc/ssl/certs/ca-certificates.crt
)
update-ca-certificates -v
即可
檢查結果~ 再次執行
(對像為也使用 Let’s Encrypt 憑證的網站)
curl https://slack.com/
回傳、取得正常的網頁 raw data
ref.