SOLVED remove letsencrypt cert in freebsd jail

[John Doe]

hi folks,

I need some help as i am not able to figure out, how to remove

DST_Root_CA_X3.pem

I am running a nextcloud instance in a jail under freebsd. the nexctcloud instance cannot update.

a quick check:

Code:

curl https://community.letsencrypt.org/
curl: (60) SSL certificate problem: certificate has expired
More details here: http://curl.haxx.se/docs/sslcerts.html

so I assume it is the outdated letsencrypt certificate.

I checked under /etc/ssl/ for certificates but cannot find something indicating the DST_Root_CA_X3.pem

any idea?

 

[Lansing123]

I have having an issue wih X3 as well, it is making applications not able too communicate since the letsencrypt certificate is outdated. I have not been able to find a way to remove it unfortinetly.

 

[Ericloewe]

Isn't the solution to this to ensure that clients have an up-to-date list of trusted root CAs? I.e. They're not running outdated OSes, or - if they absolutely must - by installing the new cert?

 

[Lansing123]

Since Mono is not being updates and they have moved to .net which has no support on Truenas yet it's not possible to get the new CA. I found a work around, in the jail you are using. Since i knew Mono was the issue for me i went too /usr/local/mono/new-certs/Trust and found which CA in that folder that had the DST Root CA X3 certificate. Then i just renamed it, this forces Mono to use older CA. Worked for me, obviously do this at your own risk.

 

[John Doe]

i found a way. the cert got updated or blacklsited with an update of freebsd, so upgrade freebsd solved the problem.
Following the steps i have done. thank me later future John Doe for documenting it.


take a snapshot, in case you mess it up ;-)

within truenas shell:

Code:

root@freenas:~ # iocage upgrade [jailname] -r 12.2-RELEASE

run thru the dialogs, afterwards reboot jail, then start jail shell and enter:

Code:

pkg-static upgrade pkg && pkg upgrade

without 2nd cmd in jail shell nextcloud wasnt able to start.

in case someone followed this nextcloud tutorial:
nextcloud with hardened security

run following command in mentioned location after nextcloud is up and running to get rid of the indices warning

Code:

root@nextcloud:/usr/local/www/nextcloud # sudo -u www php occ db:add-missing-indices

 

[tsnives]

For anyone finding this wondering how to manually update ca-root-nss.crt because the current version isn't working I figured I'd post this. This is a last resort if updating the jail and ca-roos-nss package didn't fix your problem. Those are real solutions, this is bandaid that you may have to keep re-applying.

Find a way to identify the specific cert you want to remove. In this case, it was the DST_Root_CA_X3 cert that expired on 9/30/21 and for whatever reason Mono still tried to use it.

First up, removing it. Use your favorite text editor and find the lines to prune. For me, that's nano so...

Code:

nano /usr/local/share/certs/ca-root-nss.crt

Next up is doing a search for the marker we're looking for. Crtl+W does the trick in Nano, and I used the date in question "Sep 30".
Read the header data and confirm you're looking at the right one. Once you're definite, delete everything from "Certificate:" to "-----END CERTIFICATE------"
Save the file, Crtl+X in nano.

And to sync our change back to mono, we need to tell it to update manually.

Code:

cert-sync /usr/local/share/certs/ca-root-nss.crt

Give a try whatever wasn't working that made you aware you had a cert problem. Working? Then move on and remember after your next pkg upgrade you may need to fix it again if the cert source hasn't been updated to remove it.

Not working? Alright then we need to append a new valid cert for whatever you're doing and you need it in PEM or CRT format (CRT is just a bunch of PEMs appended into one file). This is also how you would add in any private certs you've created to the keystore. This part is super simple assuming you know where to find the cert. In this case, it's easy since we know it's a Let's Encrypt cert we want. So off to their site where we find links to their current active certs.

Chain of Trust - Let's Encrypt

Root Certificates Our roots are kept safely offline. We issue end-entity certificates to subscribers from the intermediates in the next section. For additional compatibility as we submit our new Root X2 to various root programs, we have also cross-signed it from Root X1. Active ISRG Root X1...

letsencrypt.org

What we want is that cross-signed cert. This is how Let's Encrypt is extending service on those certs. So download it to a decent location then we'll append it to the end of our cert file.

Code:

cd /usr/local/share/certs/
fetch https://letsencrypt.org/certs/isrg-root-x1-cross-signed.pem
cat isrg-root-x1-cross-signed.pem >> ca-root-nss.crt
cert-sync /usr/local/share/certs/ca-root-nss.crt

 

[SlackerDude]

What am I missing here? I run the following code

Code:

cd /usr/local/share/certs/
fetch https://letsencrypt.org/certs/isrg-root-x1-cross-signed.pem
cat isrg-root-x1-cross-signed.pem >> ca-root-nss.crt
cert-sync /usr/local/share/certs/ca-root-nss.crt

But when I attempt to run the last line (cert-sync), I get a "command not found" error.