[MacPorts] #63809: Remove expired root certificate from Braeburn's Let's Encrypt certificates

MacPorts noreply at macports.org
Fri Nov 5 10:38:49 UTC 2021 

#63809: Remove expired root certificate from Braeburn's Let's Encrypt certificates
----------------------------+---------------------
 Reporter:  ryandesign      |      Owner:  admin@…
     Type:  defect          |     Status:  new
 Priority:  Normal          |  Milestone:
Component:  server/hosting  |    Version:
 Keywords:                  |       Port:
----------------------------+---------------------
 Please edit the fullchain.pem file for each live Let's Encrypt SSL
 certificate on Braeburn to remove the third (expired DST Root CA X3)
 certificate.

 Also add the flag `--preferred-chain "ISRG Root X1"` to the `certbot`
 invocation that renews each certificate so that future certificate
 renewals not put back that expired root.

 This will fix this problem on Mojave and other older macOS versions:

 {{{
 $ dig +short www.macports.org
 braeburn.macports.org.
 136.243.18.213
 $ /usr/bin/curl -I https://www.macports.org
 curl: (60) SSL certificate problem: certificate has expired
 More details here: https://curl.haxx.se/docs/sslcerts.html

 curl performs SSL certificate verification by default, using a "bundle"
  of Certificate Authority (CA) public keys (CA certs). If the default
  bundle file isn't adequate, you can specify an alternate file
  using the --cacert option.
 If this HTTPS server uses a certificate signed by a CA represented in
  the bundle, the certificate verification probably failed due to a
  problem with the certificate (it might be expired, or the name might
  not match the domain name in the URL).
 If you'd like to turn off curl's verification of the certificate, use
  the -k (or --insecure) option.
 HTTPS-proxy has similar options --proxy-cacert and --proxy-insecure.
 }}}

 Compare with build.macports.org where I've already made those changes:

 {{{
 $ /usr/bin/curl -I https://build.macports.org
 HTTP/2 200
 server: nginx/1.21.3
 date: Fri, 05 Nov 2021 10:35:57 GMT
 content-type: text/html; charset=utf-8
 content-length: 2805
 vary: Accept-Encoding
 strict-transport-security: max-age=15768000
 }}}

 See ProblemHotlist#letsencrypt for more info.

-- 
Ticket URL: <https://trac.macports.org/ticket/63809>
MacPorts <https://www.macports.org/>
Ports system for macOS

More information about the macports-tickets mailing list