cross signed certs with expired root cert

[Date Prev][Date Next] [Thread Prev][Thread Next]

From: Tim Rice <tim [at] multitalents.net>
To: nss-pam-ldapd-users [at] lists.arthurdejong.org
Reply-to: nss-pam-ldapd-users [at] lists.arthurdejong.org
Subject: cross signed certs with expired root cert
Date: Wed, 29 Sep 2021 21:50:18 -0700 (PDT)

An interesting day today.
A bunch of my systems using Let's Encrypt certs broke today.
Even the 0.9.11 systems w/ OpenSSL 1.1.1.

They were cross signed with the now expired DST Root CA X3 and
ISRG Root X1.

After removing the DST Root CA X3 bits from the cert bundle I was
able to get nslcd to work again.

Searching for info, I discovered that is the only way to make
OpenSSL 1.0.2 systems work but OpenSSL 1.1.0 and later has the
capability to use the trusted one first. May be a good enhancement
for nslcd.

These 2 paragraphs from an OpenSSL blog may be of interest.
https://www.openssl.org/blog/blog/2021/09/13/LetsEncryptRootCertExpire/

    The -trusted_first option support in openssl verify, openssl s_client,
    and other similar openssl commands when applied, overrides the
    certificate chain building so it prefers the trust store certificates
    over the untrusted certificates in the chain provided by the peer.
    That effectively means that with the option enabled the problem
    does not happen.

    However the option is not enabled by default and third party
    applications do not usually provide a way to enable this option.
    The applications would have to call X509_VERIFY_PARAM_set_flags()
    function with the X509_V_FLAG_TRUSTED_FIRST flag to enable this option.


-- 
Tim Rice                                Multitalents
tim@multitalents.net

cross signed certs with expired root cert, Tim Rice

Prev by Date: Re: nslcd authc using certificates?
Next by Date: DNS feature doesn't work with LDAPS
Previous by thread: Re: running 0.9.11 testsuite usin OpenLDAP 2.5.7
Next by thread: DNS feature doesn't work with LDAPS