[wp-trac] [WordPress Trac] #54207: ca-bundle.crt contains expired certificate DST Root CA X3

WordPress Trac noreply at wordpress.org
Wed Nov 10 02:10:57 UTC 2021


#54207: ca-bundle.crt contains expired certificate DST Root CA X3
--------------------------+-----------------------------
 Reporter:  bradleyt      |       Owner:  SergeyBiryukov
     Type:  defect (bug)  |      Status:  closed
 Priority:  normal        |   Milestone:  5.8.2
Component:  Security      |     Version:
 Severity:  normal        |  Resolution:  fixed
 Keywords:  fixed-major   |     Focuses:
--------------------------+-----------------------------

Comment (by desrosj):

 In [changeset:"52098" 52098]:
 {{{
 #!CommitTicketReference repository="" revision="52098"
 HTTP: Remove the DST Root CA X3 certificate expired on September 30, 2021.

 > The currently recommended certificate chain as presented to Let’s
 Encrypt ACME clients when new certificates are issued contains an
 intermediate certificate (ISRG Root X1) that is signed by an old DST Root
 CA X3 certificate that expires on 2021-09-30. In some cases the OpenSSL
 1.0.2 version will regard the certificates issued by the Let’s Encrypt CA
 as having an expired trust chain.
 >
 > Most up-to-date CA cert trusted bundles, as provided by operating
 systems, contain this soon-to-be-expired certificate. The current CA cert
 bundles also contain an ISRG Root X1 self-signed certificate. This means
 that clients verifying certificate chains can find the alternative non-
 expired path to the ISRG Root X1 self-signed certificate in their trust
 store.
 >
 > Unfortunately this does not apply to OpenSSL 1.0.2 which always prefers
 the untrusted chain and if that chain contains a path that leads to an
 expired trusted root certificate (DST Root CA X3), it will be selected for
 the certificate verification and the expiration will be reported.

 References:
 * [https://www.openssl.org/blog/blog/2021/09/13/LetsEncryptRootCertExpire/
 Old Let’s Encrypt Root Certificate Expiration and OpenSSL 1.0.2]
 * [https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/
 DST Root CA X3 Expiration (September 2021)]

 Follow-up to [25224], [25426], [25569], [27307], [30491], [30765],
 [34283], [35919], [36570], [46094].

 Props bradleyt, fierevere, SergeyBiryukov, peterwilsoncc.
 Merges [51883] to the 5.6 branch.
 Fixes #54207. See #50828.
 }}}

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/54207#comment:20>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform


More information about the wp-trac mailing list