Bug 258834 - security/ca_root_nss: request to remove outdated "DST Root CA X3" cert b/c of collateral damage
Summary: security/ca_root_nss: request to remove outdated "DST Root CA X3" cert b/c of...
Status: New
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Many People
Assignee: Ports Security Team
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2021-10-01 10:00 UTC by Tassilo Philipp
Modified: 2021-10-05 11:21 UTC (History)
2 users (show)

See Also:
bugzilla: maintainer-feedback? (ports-secteam)


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Tassilo Philipp 2021-10-01 10:00:06 UTC
Hello,

since yesterday, the "DST Root CA X3" (44:af:b0:80:d6:a3:27:ba:89:30:39:86:2e:f8:40:6b) cert expired, and although that's in theory not a big deal and normal, it seems to cause problems for different applications. E.g. unbound fails to verify certs of DoT servers that use LE certificates. Removing that cert from the bundle fixes the issue. I think in unbound's case, it is misled in following the wrong chain, so removing this cert results in a working verification using the certs it actually is supposed to look at... dunno, sorry for not having analyzed this further.

This is not the ca_root_nss pkgs fault from what I understand, but rather bugs in different applications, so sorry for opening this PR about ca_root_nss - however, it's safe to remove the outdated cert, and it'll fix implicitly other stacks. Other vendors seem to have followed the same approach, e.g. Apple.

more info:
https://old.reddit.com/r/sysadmin/comments/pyzb6s/did_the_lets_encrypt_dst_ca_x3_root_certificate/
https://forum.opnsense.org/index.php?PHPSESSID=0fu9b0q69p7l53agatlc4b0lgk&topic=24950.0

note: there was a release for v3.71, also, yesterday, maybe upstream removed this themselves
Comment 1 Christos Chatzaras 2021-10-01 10:22:56 UTC
Is any way to manually remove it?
Comment 2 Tassilo Philipp 2021-10-01 10:29:57 UTC
yes, I personally just deleted the cert 44:af:b0:80:d6:a3:27:ba:89:30:39:86:2e:f8:40:6b from /etc/ssl/cert.pem, manually, and my unbound works again
Comment 3 Tassilo Philipp 2021-10-03 15:11:39 UTC
just for reference, as this is a much clearer description of the problem:
https://www.catchpoint.com/blog/lessons-from-an-internet-outage-issues-caused-by-lets-encrypt-dst-root-ca-x3-expiration
Comment 4 Larry Rosenman freebsd_committer 2021-10-05 11:21:03 UTC
Can this be done with some urgency?  The cgit.freebsd.org repo uses a Let's Encrypt certificate, and fetching from it doesn't work with the DST root trusted.