How can I tell if wget can support LetsEncrypt's new ISRG Root X1 certificate after DST Root CA X3 Expiration

wget lets-encrypt

Solution 1:

Check your certificates as before, with your choice of TLS testers, or just a browser.

Have users update their client software.

The extended life DST Root CA X3 cross sign was primarily to extend the life of old Android devices. Of course nothing regarding implementing TLS is simple. This hit a bug in old OpenSSL 1.0.2 where this didn't validate as it should.

This problem with wget requires:

  • Compiled --with-ssl=openssl which is not the default upstream
  • Old end of life OpenSSL 1.0.2, which normally should not be used, but some long term support distros maintain it.

For example, RHEL 7 should be affected. EL7 fixed it by updating ca-certificates to no longer contain the expired root.

The other thing to try is server side, by renewing with the alternate Let's Encrypt chain. Dropping the DST root no longer confuses old OpenSSL, but old Android will not work.

Related

Restrict user's access to only one directory
ESXi on KVM - Can't find network drivers
Jenkins networking configuration parameters are to be used when installing or when running jenkins?
Keycloak blank page behind nginx reverse proxy
Ansible SSL certificate failed- urlopen error
Why Debian APT is not listing the same upgrades on two different servers with the same APT config?
How to copy Cyberduck bookmarks to another MacBook?
How do I uncompress vmlinuz to vmlinux?
How to reset a broken TTY?
How does a computer know which device is connected to the usb port?
Is it possible to use global IP addresses without internet?
Can two drives connected to a USB hub bypass the computer when sharing data?