RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1886063 - Expiring O = Digital Signature Trust Co., CN = DST Root CA X3
Summary: Expiring O = Digital Signature Trust Co., CN = DST Root CA X3
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: ca-certificates
Version: 8.6
Hardware: Unspecified
OS: Unspecified
low
low
Target Milestone: rc
: 8.7
Assignee: Bob Relyea
QA Contact: Alexander Sosedkin
URL:
Whiteboard:
Depends On:
Blocks: 2118463
TreeView+ depends on / blocked
 
Reported: 2020-10-07 15:15 UTC by Stanislav Zidek
Modified: 2023-06-05 16:23 UTC (History)
5 users (show)

Fixed In Version: ca-certificates-2022.2.54-80.2.el8_6
Doc Type: No Doc Update
Doc Text:
Clone Of:
: 2118463 (view as bug list)
Environment:
Last Closed: 2023-06-05 16:22:55 UTC
Type: Bug
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker CRYPTO-7194 0 None None None 2022-05-10 15:43:04 UTC

Description Stanislav Zidek 2020-10-07 15:15:48 UTC 
This is just a tracking bug, unless the CA in question requests or has requested upstream for an inclusion of a refreshed certificate, it does not require any action.

Version-Release number of selected component (if applicable):
ca-certificates-2020.2.41-80.0.el8_2.noarch

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            44:af:b0:80:d6:a3:27:ba:89:30:39:86:2e:f8:40:6b
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: O = Digital Signature Trust Co., CN = DST Root CA X3
        Validity
            Not Before: Sep 30 21:12:19 2000 GMT
            Not After : Sep 30 14:01:15 2021 GMT
        Subject: O = Digital Signature Trust Co., CN = DST Root CA X3
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    00:df:af:e9:97:50:08:83:57:b4:cc:62:65:f6:90:
                    82:ec:c7:d3:2c:6b:30:ca:5b:ec:d9:c3:7d:c7:40:
                    c1:18:14:8b:e0:e8:33:76:49:2a:e3:3f:21:49:93:
                    ac:4e:0e:af:3e:48:cb:65:ee:fc:d3:21:0f:65:d2:
                    2a:d9:32:8f:8c:e5:f7:77:b0:12:7b:b5:95:c0:89:
                    a3:a9:ba:ed:73:2e:7a:0c:06:32:83:a2:7e:8a:14:
                    30:cd:11:a0:e1:2a:38:b9:79:0a:31:fd:50:bd:80:
                    65:df:b7:51:63:83:c8:e2:88:61:ea:4b:61:81:ec:
                    52:6b:b9:a2:e2:4b:1a:28:9f:48:a3:9e:0c:da:09:
                    8e:3e:17:2e:1e:dd:20:df:5b:c6:2a:8a:ab:2e:bd:
                    70:ad:c5:0b:1a:25:90:74:72:c5:7b:6a:ab:34:d6:
                    30:89:ff:e5:68:13:7b:54:0b:c8:d6:ae:ec:5a:9c:
                    92:1e:3d:64:b3:8c:c6:df:bf:c9:41:70:ec:16:72:
                    d5:26:ec:38:55:39:43:d0:fc:fd:18:5c:40:f1:97:
                    eb:d5:9a:9b:8d:1d:ba:da:25:b9:c6:d8:df:c1:15:
                    02:3a:ab:da:6e:f1:3e:2e:f5:5c:08:9c:3c:d6:83:
                    69:e4:10:9b:19:2a:b6:29:57:e3:e5:3d:9b:9f:f0:
                    02:5d
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:TRUE
            X509v3 Key Usage: critical
                Certificate Sign, CRL Sign
            X509v3 Subject Key Identifier: 
                C4:A7:B1:A4:7B:2C:71:FA:DB:E1:4B:90:75:FF:C4:15:60:85:89:10
    Signature Algorithm: sha1WithRSAEncryption
         a3:1a:2c:9b:17:00:5c:a9:1e:ee:28:66:37:3a:bf:83:c7:3f:
         4b:c3:09:a0:95:20:5d:e3:d9:59:44:d2:3e:0d:3e:bd:8a:4b:
         a0:74:1f:ce:10:82:9c:74:1a:1d:7e:98:1a:dd:cb:13:4b:b3:
         20:44:e4:91:e9:cc:fc:7d:a5:db:6a:e5:fe:e6:fd:e0:4e:dd:
         b7:00:3a:b5:70:49:af:f2:e5:eb:02:f1:d1:02:8b:19:cb:94:
         3a:5e:48:c4:18:1e:58:19:5f:1e:02:5a:f0:0c:f1:b1:ad:a9:
         dc:59:86:8b:6e:e9:91:f5:86:ca:fa:b9:66:33:aa:59:5b:ce:
         e2:a7:16:73:47:cb:2b:cc:99:b0:37:48:cf:e3:56:4b:f5:cf:
         0f:0c:72:32:87:c6:f0:44:bb:53:72:6d:43:f5:26:48:9a:52:
         67:b7:58:ab:fe:67:76:71:78:db:0d:a2:56:14:13:39:24:31:
         85:a2:a8:02:5a:30:47:e1:dd:50:07:bc:02:09:90:00:eb:64:
         63:60:9b:16:bc:88:c9:12:e6:d2:7d:91:8b:f9:3d:32:8d:65:
         b4:e9:7c:b1:57:76:ea:c5:b6:28:39:bf:15:65:1c:c8:f6:77:
         96:6a:0a:8d:77:0b:d8:91:0b:04:8e:07:db:29:b6:0a:ee:9d:
         82:35:35:10

sha256sum: 0687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd6770739
Comment 1 Philip Prindeville 2021-12-14 21:51:29 UTC 
This is a known issue and there is no mitigation:

https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/
Comment 2 Oleg Girko 2021-12-14 22:33:04 UTC 
(In reply to Philip Prindeville from comment #1)
> This is a known issue and there is no mitigation:
> 
> https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/

Does this mean that this cert should be removed completely?
Comment 3 Philip Prindeville 2021-12-15 01:02:19 UTC 
(In reply to Oleg Girko from comment #2)
> (In reply to Philip Prindeville from comment #1)
> > This is a known issue and there is no mitigation:
> > 
> > https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/
> 
> Does this mean that this cert should be removed completely?

No.  Cutting & pasting from the above article:

"DST Root CA X3 will expire on September 30, 2021. That means those older devices that don’t trust ISRG Root X1 will start getting certificate warnings when visiting sites that use Let’s Encrypt certificates. There’s one important exception: older Android devices that don’t trust ISRG Root X1 will continue to work with Let’s Encrypt, thanks to a special cross-sign from DST Root CA X3 that extends past that root’s expiration. This exception only works for Android."

If you do remove it, certain old Android devices won't work.  And newer devices, that use the first path, don't need the cross-signing anyway and aren't bothered by the expired certificate.

So it does no harm to leave it in place... and provides continuity for older devices that won't be updated.
Comment 4 Bob Relyea 2021-12-15 16:58:56 UTC 
If you are using older versions of openssl, then removing the cert makes things better. We actually removed the cert from RHEL-6 and RHEL-7 databases because they are running the older version of openssl. The cert will get removed from the root store naturally in the next update. If you want to explicitly remove it now, it should do no harm. The Android description applies to android's root store.

There's a separate issue of whether or not not include the intermediate certificate signed by this root cert in your server chain. That's a configuration of your webserver and independent of the ca-certificate root store. I'll refer you to the article on how to decide whether or not to include the intermediate certificate in your server's certificate chain.

In general this sort of notification is mostly for issues with openssl on RHEL-6 and RHEL-7. Modern openssl is more tolerant of multiple chain paths with one path having expired certificates.

bob
Comment 11 Clemens Lang 2023-06-05 16:22:55 UTC 
RHEL 8.7 contains ca-certificates-2022.2.54-80.2.el8_6.
Note You need to log in before you can comment on or make changes to this bug.