lynx-dev
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Lynx-dev] Renew openssl certificates

From: Thorsten Glaser
Subject: Re: [Lynx-dev] Renew openssl certificates
Date: Thu, 30 Sep 2021 17:46:17 +0000 (UTC) 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA384

Travis Siegel dixit:

> server, should I move that certificate somewhere else to get lynx to treat it

You can apply the certificate bundle MirBSD ships if you trust me enough
(IIRC it is also linked in lynx’ documentation).

You’ll have to go to the following URLs and download the two files:
https://www.mirbsd.org/cvs.cgi/src/etc/ssl.certs.shar?rev=HEAD and
https://www.mirbsd.org/cvs.cgi/src/etc/ssl.links.shar?rev=HEAD
You’ll need to use a browser/downloader that still supports TLSv1
(and does not require TLSv1.2 like Google’s or Mozilla’s) to get them;
unfortunately, the server uses a LE certificate as well so you have a
hen-egg problem.

Here’s a hash of the latest versions of these files; I’m PGP-signing
this eMail, so you have at least another-ish venue to verify them:

=====| cutting here may damage your screen surface |=====
$ ident ssl.*
ssl.certs.shar:
     $MirOS: src/etc/ssl.certs.shar,v 1.52 2019/05/16 19:55:41 tg Exp $

ssl.links.shar:
     $MirOS: src/etc/ssl.links.shar,v 1.9 2019/05/16 19:55:43 tg Exp $
$ sha256sum ssl.*
2e9d27cf61fa49dc9ff0bfb9c328221cfad494d7927b8fc84a1423e806dc39ca  ssl.certs.shar
e7283c4dc4ecc0d67d43b6ec9e1a896119100ddfb9e7f582f11021906a912195  ssl.links.shar
=====| cutting here may damage your screen surface |=====

Then create a new temporary directory and run ssl.certs.shar there.
It will create all the certificate files. You can then generate a
nonGNUTLS bundle from that by doing:

        cat *.[0-9] | sudo dd of=/etc/ssl/certs/ca-certificates.crt

Then run ssl.links.shar in that directory, which will create the
compatibility symlinks (ssl.certs.shar’s filenames use the OpenSSL
0.x and nonGNUTLS hash; OpenSSL 1.x+ uses a different certificate
hash which these symlinks account for). Finally copy all files and
symlinks into the final destination, overwriting existing ones:

        sudo pax -rw -pe *.* /etc/ssl/certs/    # either this…
        sudo cp -a *.* /etc/ssl/certs/          # … or that…
        # … followed by:
        sudo chown 0:0 /etc/ssl/certs/*

The first alternative of the copying command needs pax installed,
which comes by default on BSD but not many GNU systems; the second
uses a GNU coreutils feature and hence only works on those :/

You may also delete the now-expired DST Root certificate (until I
manage to update the bundle, a process during which I prune expired
ones; this one only expired yesterday and I have not yet got around
to doing so):

        sudo rm /etc/ssl/certs/12d55845.0       # the file
        sudo rm /etc/ssl/certs/2e5ac55d.0       # the symlink

(You might even wish to remove it from the nonGNUTLS bundle
/etc/ssl/certs/ca-certificates.crt but it seems to be fine
to just leave it there.)

That’s it about updating the root certificates on the client. Now
older OpenSSL versions not manually patched will still mark the
server certificate as expired because the ISRG-root-crosssigned-
by-DST-root certificate is still delivered as part of the chain
from servers to clients, mostly due to LE still delivering it as
element of the official fullchain, a bug which I already reported:
https://community.letsencrypt.org/t/help-thread-for-dst-root-ca-x3-expiration-september-2021/149190/328

To fix this, go to all servers *you* have access to and remove
the following snippet from every file in /etc/ssl/ and possibly
/etc/ssl/private/ that contains it:

        -----BEGIN CERTIFICATE-----
        MIIFYDCCBEigAwIBAgIQQAF3ITfU6UK47naqPGQKtzANBgkqhkiG9w0BAQsFADA/
        MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
        DkRTVCBSb290IENBIFgzMB4XDTIxMDEyMDE5MTQwM1oXDTI0MDkzMDE4MTQwM1ow
        TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
        cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwggIiMA0GCSqGSIb3DQEB
        AQUAA4ICDwAwggIKAoICAQCt6CRz9BQ385ueK1coHIe+3LffOJCMbjzmV6B493XC
        ov71am72AE8o295ohmxEk7axY/0UEmu/H9LqMZshftEzPLpI9d1537O4/xLxIZpL
        wYqGcWlKZmZsj348cL+tKSIG8+TA5oCu4kuPt5l+lAOf00eXfJlII1PoOK5PCm+D
        LtFJV4yAdLbaL9A4jXsDcCEbdfIwPPqPrt3aY6vrFk/CjhFLfs8L6P+1dy70sntK
        4EwSJQxwjQMpoOFTJOwT2e4ZvxCzSow/iaNhUd6shweU9GNx7C7ib1uYgeGJXDR5
        bHbvO5BieebbpJovJsXQEOEO3tkQjhb7t/eo98flAgeYjzYIlefiN5YNNnWe+w5y
        sR2bvAP5SQXYgd0FtCrWQemsAXaVCg/Y39W9Eh81LygXbNKYwagJZHduRze6zqxZ
        Xmidf3LWicUGQSk+WT7dJvUkyRGnWqNMQB9GoZm1pzpRboY7nn1ypxIFeFntPlF4
        FQsDj43QLwWyPntKHEtzBRL8xurgUBN8Q5N0s8p0544fAQjQMNRbcTa0B7rBMDBc
        SLeCO5imfWCKoqMpgsy6vYMEG6KDA0Gh1gXxG8K28Kh8hjtGqEgqiNx2mna/H2ql
        PRmP6zjzZN7IKw0KKP/32+IVQtQi0Cdd4Xn+GOdwiK1O5tmLOsbdJ1Fu/7xk9TND
        TwIDAQABo4IBRjCCAUIwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYw
        SwYIKwYBBQUHAQEEPzA9MDsGCCsGAQUFBzAChi9odHRwOi8vYXBwcy5pZGVudHJ1
        c3QuY29tL3Jvb3RzL2RzdHJvb3RjYXgzLnA3YzAfBgNVHSMEGDAWgBTEp7Gkeyxx
        +tvhS5B1/8QVYIWJEDBUBgNVHSAETTBLMAgGBmeBDAECATA/BgsrBgEEAYLfEwEB
        ATAwMC4GCCsGAQUFBwIBFiJodHRwOi8vY3BzLnJvb3QteDEubGV0c2VuY3J5cHQu
        b3JnMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly9jcmwuaWRlbnRydXN0LmNvbS9E
        U1RST09UQ0FYM0NSTC5jcmwwHQYDVR0OBBYEFHm0WeZ7tuXkAXOACIjIGlj26Ztu
        MA0GCSqGSIb3DQEBCwUAA4IBAQAKcwBslm7/DlLQrt2M51oGrS+o44+/yQoDFVDC
        5WxCu2+b9LRPwkSICHXM6webFGJueN7sJ7o5XPWioW5WlHAQU7G75K/QosMrAdSW
        9MUgNTP52GE24HGNtLi1qoJFlcDyqSMo59ahy2cI2qBDLKobkx/J3vWraV0T9VuG
        WCLKTVXkcGdtwlfFRjlBz4pYg1htmf5X6DYO8A4jqv2Il9DjXA6USbW1FzXSLr9O
        he8Y4IWS6wY7bCkjCWDcRQJMEhg76fsO3txE+FiYruq9RUWhiF1myv4Q6W+CyBFC
        Dfvp7OOGAN6dEOM4+qR9sdjoSYKEBpsr6GtPAQw4dy753ec5
        -----END CERTIFICATE-----

You can see it’s the right one by piping through “openssl x509 -text”
which will show (starting around line 7 or so):

        Issuer: O=Digital Signature Trust Co., CN=DST Root CA X3
        Validity
            Not Before: Jan 20 19:14:03 2021 GMT
            Not After : Sep 30 18:14:03 2024 GMT
        Subject: C=US, O=Internet Security Research Group, CN=ISRG Root X1

(In case you wonder: it’s not this one which is expired but it’s
signed from “DST Root CA X3” and *that* is the one having expired:)
        Issuer: O = Digital Signature Trust Co., CN = DST Root CA X3
        Validity
            Not Before: Sep 30 21:12:19 2000 GMT
            Not After : Sep 30 14:01:15 2021 GMT
        Subject: O = Digital Signature Trust Co., CN = DST Root CA X3

Then restart affected services (or the entire server, if unsure).

I’m doing mine right now, so give me some minutes to do that for
MirBSD’s machines…

Good luck,
//mirabilos
- -- 
> Wish I had pine to hand :-( I'll give lynx a try, thanks.

Michael Schmitz on nntp://news.gmane.org/gmane.linux.debian.ports.68k
a.k.a. {news.gmane.org/nntp}#news.gmane.linux.debian.ports.68k in pine

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (MirBSD)
Comment: ☃ ЦΤℱ—8 ☕☂☄

iQIcBAEBCQAGBQJhVffxAAoJEHa1NLLpkAfgbqIP/i1dQNJw99oTsEd0UuEuiI1J
2vjLB/tb5X2sf5b+78W0/zuXMJ2Xxakj9WtSJ2uRvaCLw/80STMNlM1O416FH9jV
QPb5udg/3lEe9Sccorv/bMtndhV/sjLj96HsCcwwFi8O+AffCWhNcNCw67J+j8Yt
6+pZIrOcc9AbtpqHYfAr7RgHHQepoA9w+j+/XykLauGp4g/XGvymD1/DKXqUIDNn
74M0zAoFDBvHVSS9AbYQ6dY9VXoB2aX2ahe6PEKYiCU4GSQ3a+hOYOsmvF6cWzvt
/Na7fu9gQPG02yWDcIPp0VemF5IJuByGnF0NVSFyAzLTXmPestBlyMTjBbTmZb4T
yFpDhc5ibQbFiBNyM9hqAqVN8V0O9nyVmLBUbMqsGW4Dk/FYtWpWHff42f+YY6PG
vo8cfK3qOAxNyY/2DhzxSQKoa4fbarVzfJ9cpSBllWL8ztlsD5pF+CRl+ILCjq7H
WMB4UtUNp7fGxL38qN6e5oriszP6UJ8jV87m3FjNgZ814qKoMPGfJo7+dW4f/k8S
/qhrjueRxxvzI4CYwZrWSLejmUEn1s5L2LndvEndjwnVg0AF3IjEUoQch4rILs9P
IbNsmN/oUh/75ylUh9HyTNm0ZzSxz6iOx7IxVwNN7xyObqzMKF/aQQwtLL6karhY
wu8khEOFfFqDyoFwSHc2
=nDpF
-----END PGP SIGNATURE-----
reply via email to
[Prev in Thread] Current Thread [Next in Thread]