Any views expressed within media held on this service are those of the contributors, should not be taken as approved or endorsed by the University, and do not necessarily reflect the views of the University in respect of any particular issue.

LCFG Project

LCFG Project

Recent Activity for the LCFG project

  1. LCFG Project
  2. Uncategorised
  3. Let’s Encrypt Issue

Let’s Encrypt Issue

As many of you will be aware by now, yesterday one of the Let’s Encrypt certificates expired and there was a certain amount of fallout…

Frustratingly, the necessary updates for the ca-certificates packages on both SL7 and Ubuntu Focal were released too recently to be in our latest LCFG stable release. Furthermore, on SL7 it was only issued as a “fastbugs” update so we didn’t notice until it was already too late.

I am planning to issue an additional stable release – 2021092701c – today which will have the necessary package update specifications. In the meantime you can add something like this to your headers:

#ifdef LINUX_EL7
!profile.packages mEXTRA(+ca-certificates=2021.2.50-72.el7_9/noarch)
#endif

#ifdef LINUX_UBUNTU
!profile.packages mEXTRA(+ca-certificates=20210119~20.04.2/noarch)
#endif

Due to the ancient version of openssl on SL7, if your LCFG clients on SL7 are using HTTPS to communicate with the LCFG server and that server uses Let’s Encrypt certificates you will have a problem that can only be fixed with manual intervention. The new profile will not be fetched until you update the ca-certificates package. For Informatics SL7 machines we ended up logging into each via ssh as root, using wget to fetch the rpm package, and then installing using the rpm command.

The LCFG client on Ubuntu is not affected so will pick up the new profile. However, for some reason which we don’t yet understand, if apt is configured to use HTTPS to fetch packages and the package server uses Let’s Encrypt certificates then it will not be able to communicate with the package server. Again, this leaves you needing a manual intervention. On Ubuntu we added a cron job to our LCFG headers like this:

!cron.additions         mADD(cacertfix)

cron.add_cacertfix     AUTOMINS 18 * * * wget -N -P /var/tmp https://deb.pkgs.inf.ed.ac.uk/ubuntu/pool/main/c/ca-certificates/ca-certificates_20210119~20.04.2_all.deb && dpkg -i /var/tmp/ca-certificates_20210119~20.04.2_all.deb

Of course, if you use that strategy you will need to adjust the timings appropriately. It seems this is safe enough to leave in place for a few days to allow for machines that aren’t running at the time of the first pass.

It’s tempting to manually edit the /etc/ca-certificates.conf file but note that once you’ve done that it will not be updated by future updates to the ca-certificates package. Both rpm and dpkg will preserve any modified config files. You would be left either needing to revert to the package version of the config file at some later point or having to actively manage any further changes that are required.

The nuisance here is that none of this completely helps with machines that are currently turned off. There will need to be an ongoing effort to identify broken machines and apply the manual intervention.

If any of this is unclear or you need any further advice I recommend you join the LCFG slack channel where we have been discussing the problem. Annoyingly, due to a dns issue, slack has been having it’s own problems today…

Let’s Encrypt Issue / LCFG Project by blogadmin is licensed under a Creative Commons Attribution CC BY 3.0

Posted by

Categories

Uncategorised

Tags

No tags have been added to this post.

Previous post

Next post

Leave a reply

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

css.php

Report this page

To report inappropriate content on this page, please use the form below. Upon receiving your report, we will be in touch as per the Take Down Policy of the service.

Please note that personal data collected through this form is used and stored for the purposes of processing this report and communication with you.

If you are unable to report a concern about content via this form please contact the Service Owner.

Please enter an email address you wish to be contacted on. Please describe the unacceptable content in sufficient detail to allow us to locate it, and why you consider it to be unacceptable.
By submitting this report, you accept that it is accurate and that fraudulent or nuisance complaints may result in action by the University.

  Cancel