[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [XEN PATCH 3/4] automation: Remove expired root certificates used to be used by let's encrypt
- To: Anthony PERARD <anthony.perard@xxxxxxxxxx>, xen-devel@xxxxxxxxxxxxxxxxxxxx
- From: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
- Date: Wed, 15 Feb 2023 12:41:02 +0000
- Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=citrix.com; dmarc=pass action=none header.from=citrix.com; dkim=pass header.d=citrix.com; arc=none
- Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=T0BBgB+kCf7A2fKZRpLq7fGvnhr0SlfSLUYirAnAG8I=; b=CP/L/f3/oAVwIXcv8f5Dsds6LVwhucSALiJir/h5Oy/hyN365zF+6qhZh+rNXe/AdrXpRxThv8UvW6oFXuEiSqk9Wu2o6Exx7QSk6TU2UYN5YyErGAYl4+vtQnzmv1x/2a2QRxTyPUVLf+hgpKsx2T297XrbfiBNbmtgiugy1djamJqKrzSEcTx3m3hIAxF/Yl6IlVPC1H/UNy16qnesgX44BuJIUb7LYJbzs/AYmBBGuMTlGYLpcjywxI1d6Ru2tVzmy2L5s76KAty6mVwtp8TzvysavG7fqtueJ5Vc1Qh4mSVsaty6c2tK1fIOPwla6xsn/lQVM5UoJEE4n1izVw==
- Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=MaMXQEY2tPsYf0jNqFfIAbZAUR72Ty9D8ZBDbFPT+TXHNhG71cPP6Z8d/0JDxBJCvgUWyCZkIVnCVtEGmkW/D0PJ2kDIgKr4EvQtHqt4wnugKwMTcCiWmiCSU+gbgn4p32iTdpnF+yxAR5+bRCdLaWmF2R5oXJv99swm9uvikAaQH00JWkMhCZlrp2SEEYH291amYlv08AYofr567Hb+FNVqCFXzMdvc6l5gKNfggvVTA5bX6IAvNACXif6mhJefwt3sR+fFyLwLA2FAP53a2dN8oL3oH5B3nIp81SkVKL6X9qKzgl2/07hlqe8YP/i4qznfupqE0jZslnetm50n0A==
- Authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=citrix.com;
- Cc: Doug Goldstein <cardoe@xxxxxxxxxx>, Stefano Stabellini <sstabellini@xxxxxxxxxx>
- Delivery-date: Wed, 15 Feb 2023 12:41:20 +0000
- Ironport-data: A9a23:RodK/6wyC0TEctUN6nR6t+cAxyrEfRIJ4+MujC+fZmUNrF6WrkVVm mNODT+FOvyPMWL3KNt1aIyyoEwEv5GGzYNqSVBoriAxQypGp/SeCIXCJC8cHc8wwu7rFxs7s ppEOrEsCOhuExcwcz/0auCJQUFUjP3OHfykTrafYEidfCc8IA85kxVvhuUltYBhhNm9Emult Mj75sbSIzdJ4RYtWo4vw//F+UwHUMja4mtC5QRkPK0T5TcyqlFOZH4hDfDpR5fHatE88t6SH 47r0Ly/92XFyBYhYvvNfmHTKxBirhb6ZGBiu1IOM0SQqkEqSh8ai87XAME0e0ZP4whlqvgqo Dl7WT5cfi9yVkHEsLx1vxC1iEiSN4UekFPMCSDXXcB+UyQq2pYjqhljJBheAGEWxgp4KXxc5 eU4JWAGUh+Sl/zn8Y+3a9JXqst2eaEHPKtH0p1h5RfwKK58BLrlGuDN79Ie2yosjMdTG/qYf 9AedTdkcBXHZVtIJ0sTD5U92uyvgxETcRUB8A7T+fVxvjGVkFMZPLvFabI5fvSjQ8lPk1nej WXB52njWTkRNcCFyCrD+XWp7gPKtXKqBd9OSOLonhJsqGeX6UBNNCY/b1WQi76YgBGkYtBCL mVBr0LCqoB3riRHVOLVTxC+5XKJoBMYc95RCPEhrhGAzLLO5ASUDXRCSSROAPQtvdU6QjEC3 VaTk9TkQzdotdW9UmmB/72ZqTezPyk9LmIYYyIACwwf7LHeTJobixvOSpNpFvezh9itQzXom WjW8245mqkZitMN2+Oj51fbjjmwp5/PCAko+gHQWWHj5QR8DGK4W7GVBZHgxa4oBO6kopOp5 hDoR+D2ADgyMKyw
- Ironport-hdrordr: A9a23:iBgh6as/I7v4xOY/LQDAhyEA7skDZ9V00zEX/kB9WHVpm62j+v xG+c5xvyMc5wxhO03I5urwWpVoLUmzyXcX2+Us1NWZPDUO0VHARL2KhrGM/9SPIUzDH+dmpM JdT5Q=
- List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
On 15/02/2023 12:02 pm, Anthony PERARD wrote:
> While the Let's Encrypt root certificate ISRG_Root_X1.crt is already
> present, openssl seems to still check for the root certificate
> DST_Root_CA_X3.crt which has expired. This prevent https connections.
>
> Removing DST_Root_CA_X3 fix the issue.
>
> centos: found the filter by looking for "DST Root" in `trust list`.
>
> Signed-off-by: Anthony PERARD <anthony.perard@xxxxxxxxxx>
> ---
> automation/build/centos/7.2.dockerfile | 5 +++++
> automation/build/centos/7.dockerfile | 5 +++++
> automation/build/debian/jessie-i386.dockerfile | 5 +++++
> automation/build/debian/jessie.dockerfile | 5 +++++
> automation/build/ubuntu/trusty.dockerfile | 5 +++++
> 5 files changed, 25 insertions(+)
>
> diff --git a/automation/build/centos/7.2.dockerfile
> b/automation/build/centos/7.2.dockerfile
> index 4baa097e31..27244fd002 100644
> --- a/automation/build/centos/7.2.dockerfile
> +++ b/automation/build/centos/7.2.dockerfile
> @@ -50,3 +50,8 @@ RUN rpm --rebuilddb && \
> bzip2 \
> nasm \
> && yum clean all
> +
> +# Remove expired certificate that Let's Encrypt certificates used to relie
> on.
rely.
And really (to all of these modifications)? This seems outragously
hacky to be deploying into production...
Honestly, I think I'd prefer to drop all of these legacy versions...
~Andrew
|