0

I have two Ubuntu 18.04 machines. One virtual based on bento/ubuntu-18.04 Vagrant box and one laptop.

Since yesterday when I try to clone a repository the virtual machine will show a certificate error.

vagrant@mybox:~$ git clone https://somehostedgitrepo/myrepo.git/
Cloning into 'myrepo'...
fatal: unable to access 'https://somehostedgitrepo/myrepo.git/': server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none

On my laptop it still works.

When I verify

openssl s_client -connect somehostedgitrepo:443

It shows that the certificate is expired

depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify error:num=10:certificate has expired
notAfter=Jun  4 11:04:38 2035 GMT
CONNECTED(00000005)
---
Certificate chain
 0 s:CN =somehostedgitrepo
   i:C = US, O = Let's Encrypt, CN = R3
 1 s:C = US, O = Let's Encrypt, CN = R3
   i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
 2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1
   i:O = Digital Signature Trust Co., CN = DST Root CA X3
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFLjCCBBagAwIBAgISAzIS8MDFK/RLB5bSwMulrF77MA0GCSqGSIb3DQEBCwUA
...
JJzXxLHT6RkWXPDM9wyTnQl14gC6Mtp+S3IbBbGoidnnOw==
-----END CERTIFICATE-----
subject=CN = somehostedgitrepo

issuer=C = US, O = Let's Encrypt, CN = R3

---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 4586 bytes and written 402 bytes
Verification error: certificate has expired
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
....

On my laptop I have

depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = somehostedgitrepo
verify return:1
CONNECTED(00000005)
---
Certificate chain
 0 s:CN = somehostedgitrepo
   i:C = US, O = Let's Encrypt, CN = R3
 1 s:C = US, O = Let's Encrypt, CN = R3
   i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
 2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1
   i:O = Digital Signature Trust Co., CN = DST Root CA X3
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFLjCCBBagAwIBAgISAzIS8MDFK/RLB5bSwMulrF77MA0GCSqGSIb3DQEBCwUA
...

Notice that on my VM the top of the output shows

notAfter=Jun  4 11:04:38 2035 GMT

I noticed that there is a difference in the file /etc/ca-certificates.conf

diff ca-certificates.conf /etc/ca-certificates.conf
46c46
< mozilla/DST_Root_CA_X3.crt
---
> !mozilla/DST_Root_CA_X3.crt
``

When update that line on my virtual machine to match that `!mozilla/DST_Root_CA_X3.crt` then `apt-get update && apt-get install ca-certificates` and reboot it is working again.

What is going on here? Why did it suddenly start failing yesterday on my VM? Why is Ubuntu on the VM different and more strict?
onknows
  • 787
  • 2
  • 10
  • 17
  • 3
    Something to do with https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/ maybe? – garethTheRed Oct 02 '21 at 13:46
  • 1
    Does this answer your question? [cURL on Ubuntu 14: all Let's Encrypt certificates are expired (error 60)](https://superuser.com/questions/1679204/curl-on-ubuntu-14-all-lets-encrypt-certificates-are-expired-error-60) – Ramhound Nov 05 '21 at 12:18

0 Answers0