15

I have an Ubuntu 14.04.5 LTS installation. It just recently became unable to verify modern Let's Encrypt certificates. The current version of ca-certificates is 20160104ubuntu0.14.04.1. apt search ca-certificates tells me that the package is upgradeable to 20170717~14.04.2 from trusty-updates, but I think that's probably not modern enough.

I see ca-certificates version 20210119~18.04.2 in bionic-updates. Is it possible to install this without disrupting the system? Is there a better way? Thanks.

user1389892
  • 161
  • 2
    Unfortunately 14.04 is not supported on this site. If you have ESM with Canonical then they may be able to provide an accurate answer – matigo Sep 30 '21 at 15:37
  • 2
    Only supported releases of Ubuntu (standard or public support) are on-topic for this site. Ubuntu 14.04 LTS is EOL (end-of-life) thus off-topic, and Ubuntu 14.04 ESM is in extended support and only supported by Canonical via Ubuntu Advantage thus also off-topic here. Refer https://askubuntu.com/help/on-topic https://help.ubuntu.com/community/EOLUpgrades https://fridge.ubuntu.com/2019/05/02/ubuntu-14-04-trusty-tahr-reached-end-of-life-on-april-25-2019-esm-available/ – guiverc Sep 30 '21 at 22:12

1 Answers1

16

You can install the latest stable certs from source (you'll need a working wget and unxz or at least a way of copying the uncompressed .tar file or its contents onto your target server (perhaps just scp -r once you've extracted it locally):

# Ensure dependencies
sudo apt -y install make tar xz-utils wget


Make a place to build it in


mkdir -p ~/src
cd ~/src
wget https://launchpad.net/ubuntu/+archive/primary/+sourcefiles/ca-certificates/20210119~20.04.2/ca-certificates_20210119~20.04.2.tar.xz

tar -xJf ca-certificates_20210119~20.04.2.tar.xz


# Now build and install
cd ca-certificates-20210119~20.04.1
make
sudo make install


You might want to run this interactively to ensure


you can select the ISRG Root X1


in which case, just run: sudo dpkg-reconfigure ca-certificates


sudo dpkg-reconfigure -fnoninteractive ca-certificates
sudo update-ca-certificates
/usr/bin/c_rehash /etc/ssl/certs
questionto42
  • 264
jaygooby
  • 276
  • I ran through this and it generated a lot of new certificates in /usr/share/ca-certificates/mozilla, as well as /etc/ssl/certs/ca-certificates.crt. But curl still fails to validate certificates, even with --cacert /etc/ssl/certs/ca-certificates.crt – Daniel Buckmaster Oct 01 '21 at 00:10
  • 2
    This answer was very helpful. First, in sbin/update-ca-certificates, I had to change openssl rehash to c_rehash (I studied an older version of ca-certificates). I also had to do dpkg-reconfigure ca-certificates (interactively) to enable the Let's Encrypt ISRG X1 certs. Then I did update-ca-certificates --fresh --verbose. Make sure /etc/ssl/certs has some ISRG Root X1 symlinks. – user1389892 Oct 01 '21 at 08:29
  • 1
    @daniel-buckmaster; check a couple of things... Do you have ls -l /etc/ssl/certs/ISRG_Root_X1.pem if you don't, then try the interactive dpkg-reconfigure suggested above. If you do, ensure you don't have /etc/ssl/certs/DST_Root_CA_X3.pem (the expired cert) - again you can interactively deselect it in dpkg-reconfigure ca-certificates. What openssl library is curl using? Run curl -V and it will show you. Hopefully it's a 1.0.x like OpenSSL/1.0.1f and not a OpenSSL/0.9.7 – jaygooby Oct 01 '21 at 08:47
  • 1
    I followed all the steps above, but curl was still complaining. In my case, openssl c_rehash command was failing in the update-ca-certificates script. I tried force reinstalling the openssl apt package but that didn't help. What finally solved my problem is cd /etc/ssl/certs then running the rehash script directly: /usr/bin/c_rehash. – ttk Oct 01 '21 at 19:52
  • Thanks @user1389892 for this question. – Ariel Kogan Oct 12 '21 at 11:35
  • 1
    Let's Encrypt have an announcement page with links to resources. – Ariel Kogan Oct 12 '21 at 11:41
  • 8
    If you want to make less changes and only remove the expired certificate (workaround 1 suggested by OpenSSL), you can run these commands:

    cp /etc/ca-certificates.conf /etc/ca-certificates.conf.orig

    cat /etc/ca-certificates.conf.orig | sed 's|mozilla/DST_Root_CA_X3.crt|!mozilla//DST_Root_CA_X3.crt|g' > /etc/ca-certificates.conf

    dpkg-reconfigure -fnoninteractive ca-certificates

     – Ariel Kogan Oct 12 '21 at 11:41
  • 2
    @ArielKogan's comment should be a valid answer. – Arcobaleno Oct 13 '21 at 10:01
  • I've tried all of these steps but I still get a verify error:num=20:unable to get local issuer certificate error when I run openssl s_client on my client server, trying to verify with another remote server. – alexw Oct 16 '21 at 03:53
  • @alexw what version does openssl version show? – jaygooby Oct 16 '21 at 16:42
  • @jaygooby I upgraded to 1.1.1k, which it now shows. Apparently this message is to be expected, and I just had to wait a little while for the alternate/short chain to kick in. – alexw Oct 17 '21 at 01:26
  • Works also in a Dockerfile (no sudo, add RUN at each line start, perhaps add WORKDIR /src after mkdir. – questionto42 Dec 23 '21 at 13:34