Let's Encrypt SSL certificates are being linked to an expired root certificate #2554
Comments
|
Wrong repo and duplicate. |
|
No worries, hotfix going out later today :) |
|
In fact I am quite worried as opnsense updates failed to due to invalid certificate. |
|
@ssbarnea likely these issues are due to a certificate locally installed, just try to update from a fresh install (works like a charm from here). Most of this is caused due to how let's encrypt handles their expired certificate (I assume you can't access their website either from the same install as it distributes the same chain) |
|
My OpenSense box was configured to auto-update and I am running 21.7.3_1 which right now is unable to get any updates, from any mirror! I doubt all of them are using the new certificate. The funny bit is that my router has an ACME certificate configured on it for it own interface and I was able to use ACME client to regenerate certificates. That part worked but the router itself is not able to get any updates and I don't really understand why this happens. Wasn't the "default" mirror option designed to provide resiliency for the case when one of few mirrors go down? I tried picking 4-5 and I still get the same kind of errors,... and interestingly they all involve I guess I need to manually add the new intermediate ACME certificate to fix it but I am unable to find it. |
|
I found the certificates on https://letsencrypt.org/certificates/ but is not clear which files i need to download and upload to the router. The cross-signed or the self-signed ones? I guess pem format. Update: I uploaded both cross-signed root ones but updates still do not work. Considering that this is breaking core updates, I am not sure if we can really claim that is a plugin issue. Or maybe we need a new ticket to track that issue. |
|
It's likely that you have one certificate installed which you shouldn't trust anymore, which is the same as the webbrowsers have implemented. Let's encrypt sends two paths, if the expired one is trusted on your end, the path is expired. Which is why you likely can access https://pkg.opnsense.org from a browser without issues (and also from a clean install). |
|
some context for RHEL which explains the issue quite nicely (in my humble opinion): https://blog.devgenius.io/rhel-centos-7-fix-for-lets-encrypt-change-8af2de587fe4 . When using LibreSSL, the trust first doesn't seem to be available yet (https://ftp.openbsd.org/pub/OpenBSD/patches/6.8/common/032_cert.patch.sig thanks @fichtner), in which case you really need to make sure "DST Root CA X3" isn't trusted on your end. |
AFAICT, the expired X3 CA is still shipped with ca_root_nss-3.69_1 (and installed in /usr/local/etc/ssl/cert.pem). Could this be the root cause? |
Still, the main issue here is that router itself does not have a correct set of CA certificates, so update process is still partially broken. I do suspect that should also be the case for a long list of opnsense users. I see some kind of vicious cycle: new CA certs needed in order to get updates, you cannot update due to outdated CA certs. |
|
@fraenki that depends if people suffering from this issue are all using LibreSSL, but if the expired cert is still shipped, eventually it should be removed. |
|
@AdSchellevis I'm on OpenSSL and am seeing the same issue here. It's unrelated to os-acme-client. In the link you've posted they said that RedHat removed the expiring CA from the root CA list as a fix. An alternative could be to blacklist the expired CA, because I figure customizing ca_root_nss is not an option. |
|
I failed to mention that my "flavour" is still on default. Should I change it to something else? |
|
@fraenki what happens if you replace |
|
@AdSchellevis Same result. And I think this is expected, because |
|
@fraenki well, the same cert is also available on my end, but my machine works like a charm (tested both pkg and curl) |
|
@AdSchellevis Then there's something wrong with how the trust chain is build/updated, right? I don't know how this could be os-acme-client's or a user's fault. |
OK, I have to reiterate on that. During my previous test the file got overwritten by the system before I've started my test. So after running a new test I can confirm now that overwriting both files fixes the warning. And I can confirm that having the current and not expired X3 cert in EDIT: Just tested this on a fresh installation. Importing the new X3 cert immediately causes the validation issue. Removing it fixes it. Does this make sense? Full X3 chain for testing: |
OK, the sort order in
As a result, it gets added to This issue seems to only affect base tools such as Not sure how to proceed from here... |
|
@fraenki base uses its own openssl version, which might have issues with the dual path. I'm not sure when The easiest fix from our end is probably to ship a ca-root-nss.crt in the future without the expired cert, some sort of "blacklist" mechanism might also be something to consider in the long-run, as these type of issues aren't exclusive to this single cert. Am I right to assume that you only have seen this issue on machine which do have certificates imported locally (in System: Trust)? Or is there an edge case I haven't seen yet? |
In another test this worked as expected. Sorry for the confusion that my first test caused.
Only when importing the new X3 CA chain. @AdSchellevis, do you have any idea why the sort order matters? This might be key for fixing this issue. I've also seen that that other firewall project uses a different approach for handling root certificates... |
|
@fraenki I can only assume that openssl in base doesn't come with I'm not sure if/how others sort certificates, but adding logic in these things usually is asking for issues later on. As an experiment you could try to feed your certificates before the standard set in system_trust_configure (https://github.com/opnsense/core/blob/d5d52ac975a62c083b82758dcc4ab2ab3a68c856/src/etc/inc/system.inc#L825). I'm a bit hesitant for large changes and logic around certificate generation as this likely irons itself out in time since the ports packages seem to be doing the right thing and I don't expect the functional difference in ordering is intentional. |
I've manually put the CA chain on top of |
|
@AdSchellevis @fraenki hi! can i join the discussion? I also tested different options and so far I got this explanation for myself: the matter is generally in the presence of the cross-signed ISRG Root X1 certificate in the trust store. |
|
@kulikov-a In principle I'm certainly not against an explicit blacklist, although with Building a user friendly blacklist will have some challenges of it's own, we really would like to keep |
|
@AdSchellevis on a vm without a acme plugin certificate, I added the ISRG Root X1 cross-signed certificate to the trusted and made a quick POC (kulikov-a/core@083c7e6) |
|
Thanks for all the discussion! So if I see correctly, if both X1 root and R3 intermediate are installed in this order in System: Trust: Authorities this works? And if none are present this works too? |
|
@fichtner yes. order matters. |
|
the question is whether changing the order makes it right or are we just tricking openssl with the wrong order |
|
A little history. Users nagged us to move firmware updates to HTTPS and FreeBSD still doesn’t to it. Also, Adding CA certificates to trust store was a feature request by users a while back. I would hardly call this “a different approach” to trust stores. It looks like the usual price of being progressive and listening to users despite core team reservations and potential pitfalls. Essentially we can’t take a lot of care validating and reordering arbitrary input so that “OpenSSL does the right thing” when CA certificates are renewed and their chain is altered. It obviously is a weak point in OpenSSL by itself and is best avoided. Commercial CAs do this too and it always ends in problems, I can tell you this much from previous work experience with S/MIME in particular. It might make sense to add reordering to the system: trust: authorities page or try to reorder using issuer/subject CN while appending to trust store if that doesn’t take an a awful lot of computing time. Or just let people know that chains need to be reversed in the documentation to make sense of what’s going on. FWIW, “trusted_first“ seems to be set in base OpenSSL as well so that’s definitely not our issue. I also think that next ca_root_nss package will remove the expired CA and that should be it. |
|
thanks for the explanation!
as my tests showed (manualy delete DST cert from ca_root_nss and trigger I checked another option for a quick hotfix (not a complete solution with the ability to block trust of any certificate, but a PoC that allows users to exclude certs in System: Trust: Authorities from store). something like kulikov-a/core@636f3a0 |
Important notices
Before you add a new report, we ask you kindly to acknowledge the following:
Describe the bug
New generated/re-issued SSL certificates with Let's Encrypt via the ACME Client are linked to an expired R3 Root Certificate.
Tip: to validate your setup was working with the previous version, use opnsense-revert (https://docs.opnsense.org/manual/opnsense_tools.html#opnsense-revert)
To Reproduce
Steps to reproduce the behavior:
Expected behavior
A valid SSL Certificate is generated with no issues in its chain.
Describe alternatives you considered
Using another SSL certificate provider
Screenshots
Relevant log files
n/a
Additional context
The R3 root certificate expired yesterday:
https://scotthelme.co.uk/lets-encrypt-old-root-expiration/
https://techcrunch.com/2021/09/21/lets-encrypt-root-expiry/
Environment
Software version used and hardware type if relevant, e.g.:
OPNsense 21.7.3_1-amd64
FreeBSD 12.1-RELEASE-p20-HBSD
OpenSSL 1.1.1l 24 Aug 2021
The text was updated successfully, but these errors were encountered: