Deal with CA root certificate expiration fallout
On 09/30/2021 the root "DST Root CA X3" certificate expired. A new certificate ("ISRG Root X1") was in place well in advance, but OpenSSL 1.0.2 (and others) still try to chain through the old certificate. See this blog post. This affects not only our servers, but all standard and custom images as well.
Things we gotta do:
-
Fix all boss/ops/dbox/whatever nodes that need HTTPS service from anyone. -
Make sure out client images going forward do not include the DST certificate and do include the replacement. -
Add slicefix
magic to fix up custom images based on our supported images (Ubuntu 16+, CentOS 7+, FreeBSD 11+). -
Have a plan for older images (instructions for how users can fix them?).
The fix is pretty straight forward for at least Ubuntu and FreeBSD, just remove the invalid certificate from the right places. I will note that Ubuntu 14 does not include the replacement certificate, so a fix is harder...if we chose to try and do something about older images.
Edited by Mike Hibler