Cedric Rey <cerey@xxxxxxxxxxxxxxx> writes: > rpm -q ca-certificates --changelog > * Tue Sep 14 2021 Bob Relyea <rrelyea@xxxxxxxxxx> - 2021.2.50-72 > - Fix expired certificate. > - Removing: > - # Certificate "DST Root CA X3" > As you can see they just remove the old "DST Root CA X3" in the latest el7 ca-certificate version which correct the problem I had before. Wow, that is quite interesting, because they've propagated no such update to my RHEL8 or Fedora 34 machines (mumble dnf update mumble ... nope, still not there). I speculate that that's because those releases don't need it: they're both running openssl 1.1.1something, which will do the right thing as soon as it finds the ISRG Root X1 certificate in the chain. But RHEL7 is still using openssl 1.0.2, which will follow the chain to the DST cert and then spit up [1]. So evidently Red Hat has implemented OpenSSL's "workaround 1" [2] on RHEL7, but they left well enough alone on newer platforms. They could not have pushed out the DST cert removal much before that cert expired, for fear of causing unnecessary problems elsewhere. So that's why the seemingly short notice. regards, tom lane [1] https://community.letsencrypt.org/t/openssl-client-compatibility-changes-for-let-s-encrypt-certificates/143816 [2] https://www.openssl.org/blog/blog/2021/09/13/LetsEncryptRootCertExpire/
