We have a bunch of expired intermediate certificates that we deploy on the machines (and cloudvps VMs), and that is making some ssl checks fail:
dcaro@tools-harbor-1:~$ echo | openssl s_client -connect 87.240.132.67:443 -showcerts 2>/dev/null CONNECTED(00000003) --- Certificate chain 0 s:C = RU, ST = Saint Petersburg, L = Saint Petersburg, O = V Kontakte LLC, CN = *.vk.com i:C = BE, O = GlobalSign nv-sa, CN = GlobalSign Organization Validation CA - SHA256 - G2 -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE----- 1 s:C = BE, O = GlobalSign nv-sa, CN = GlobalSign Organization Validation CA - SHA256 - G2 i:C = BE, O = GlobalSign nv-sa, OU = Root CA, CN = GlobalSign Root CA -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE----- 2 s:C = BE, O = GlobalSign nv-sa, OU = Root CA, CN = GlobalSign Root CA i:C = BE, O = GlobalSign nv-sa, OU = Root CA, CN = GlobalSign Root CA -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE----- --- Server certificate subject=C = RU, ST = Saint Petersburg, L = Saint Petersburg, O = V Kontakte LLC, CN = *.vk.com issuer=C = BE, O = GlobalSign nv-sa, CN = GlobalSign Organization Validation CA - SHA256 - G2 --- No client certificate CA names sent Peer signing digest: SHA256 Peer signature type: ECDSA Server Temp Key: X25519, 253 bits --- SSL handshake has read 4052 bytes and written 363 bytes Verification error: certificate has expired --- New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384 Server public key is 256 bit Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated Early data was not sent Verify return code: 10 (certificate has expired) ---
So this task is to remove any unused certificates from modules/profile/files/ssl/ that are expired, and then cleanup all the unused intermediate certificates under modules/base/files/ca.
From irc with bblack:
cleaning it up in the general case is a little tricky. but we could start with cleaning up certs from files/ssl/ that are sufficiently expired, and then see if any remaining ones use the deployed intermediates that are expired, etc 16:53:10 most of those certs are internal ones signed from palladium 16:54:58 AFAICS, for this one particular case you mentioned: the only cert we have in there that uses it is "star.tools.wmflabs.org.crt", which itself expired in 2020 16:55:05 I'm guessing that's not deployed anywhere 16:55:52 (I don't see any refs in production puppet anyways, and it can't be useful) 16:56:20 so maybe do a patch to remove star.tools.wmflabs.org.crt, and then to remove the expired GlobalSign_Organization_Validation_CA_-_SHA256_-_G2.crt ? 16:57:49 note when removing the sslcert::ca part in base/certificates.pp, you should step through an ensure=>absent deployment first, so that it can clean up messes.
List of certs using intermediate:
Got one: modules/profile/files/ssl/digicert-2021-ecdsa-unified.crt Issuer: C = US, O = DigiCert Inc, CN = DigiCert TLS Hybrid ECC SHA384 2020 CA1 CA Issuers - URI:http://cacerts.digicert.com/DigiCertTLSHybridECCSHA3842020CA1-1.crt Got one: modules/profile/files/ssl/digicert-2021-rsa-unified.crt Issuer: C = US, O = DigiCert Inc, CN = DigiCert TLS RSA SHA256 2020 CA1 CA Issuers - URI:http://cacerts.digicert.com/DigiCertTLSRSASHA2562020CA1-1.crt Got one: modules/profile/files/ssl/digicert-2022-ecdsa-unified.crt Issuer: C = US, O = DigiCert Inc, CN = DigiCert TLS Hybrid ECC SHA384 2020 CA1 CA Issuers - URI:http://cacerts.digicert.com/DigiCertTLSHybridECCSHA3842020CA1-1.crt Got one: modules/profile/files/ssl/digicert-2022-rsa-unified.crt Issuer: C = US, O = DigiCert Inc, CN = DigiCert TLS RSA SHA256 2020 CA1 CA Issuers - URI:http://cacerts.digicert.com/DigiCertTLSRSASHA2562020CA1-1.crt Got one: modules/profile/files/ssl/digicert-2023-ecdsa-unified.crt Issuer: C = US, O = DigiCert Inc, CN = DigiCert TLS Hybrid ECC SHA384 2020 CA1 CA Issuers - URI:http://cacerts.digicert.com/DigiCertTLSHybridECCSHA3842020CA1-1.crt Got one: modules/profile/files/ssl/digicert-2023-rsa-unified.crt Issuer: C = US, O = DigiCert Inc, CN = DigiCert Global G2 TLS RSA SHA256 2020 CA1 CA Issuers - URI:http://cacerts.digicert.com/DigiCertGlobalG2TLSRSASHA2562020CA1-1.crt Got one: modules/profile/files/ssl/labvirt-star.codfw.wmnet.crt Issuer: C = US, ST = California, L = San Francisco, O = Wikimedia Foundation, OU = Operations, CN = WMF CA 2017-2020 Got one: modules/profile/files/ssl/labvirt-star.eqiad.wmnet.crt Issuer: C = US, ST = California, L = San Francisco, O = Wikimedia Foundation, OU = Operations, CN = WMF CA 2017-2020 Got one: modules/profile/files/ssl/ldap-corp.codfw.wikimedia.org.crt Issuer: C = US, ST = California, L = San Francisco, O = Wikimedia Foundation, OU = Operations, CN = WMF CA 2017-2020 Got one: modules/profile/files/ssl/ldap-corp.eqiad.wikimedia.org.crt Issuer: C = US, ST = California, L = San Francisco, O = Wikimedia Foundation, OU = Operations, CN = WMF CA 2017-2020 Got one: modules/profile/files/ssl/ldap-ro.codfw.wikimedia.org.crt Issuer: C = US, ST = California, L = San Francisco, O = Wikimedia Foundation, OU = Operations, CN = ldap-ro.codfw.wikimedia.org, emailAddress = root@wikimedia.org Got one: modules/profile/files/ssl/ldap-ro.eqiad.wikimedia.org.crt Issuer: C = US, ST = California, L = San Francisco, O = Wikimedia Foundation, OU = Operations, CN = ldap-ro.eqiad.wikimedia.org, emailAddress = root@wikimedia.org Got one: modules/profile/files/ssl/star.tools.wmflabs.org.crt Issuer: C = BE, O = GlobalSign nv-sa, CN = GlobalSign Organization Validation CA - SHA256 - G2 CA Issuers - URI:http://secure.globalsign.com/cacert/gsorganizationvalsha2g2r1.crt Got one: modules/profile/files/ssl/star.wmflabs.org.crt Issuer: C = BE, O = GlobalSign nv-sa, CN = GlobalSign RSA OV SSL CA 2018 CA Issuers - URI:http://secure.globalsign.com/cacert/gsrsaovsslca2018.crt
List of expired intermediates:
=== DigiCert_High_Assurance_CA-3.crt Not After : Apr 3 00:00:00 2022 GMT 17:02:45 === GeoTrust_Global_CA.crt Not After : Aug 21 04:00:00 2018 GMT 17:02:45 === GlobalSign_Organization_Validation_CA_-_SHA256_-_G2.crt Not After : Aug 2 10:00:00 2022 GMT 17:02:48 === RapidSSL_SHA256_CA_-_G3.crt Not After : May 20 21:39:32 2022 GMT 17:02:50 === wmf_ca_2017_2020.crt Not After : Jul 18 20:43:26 2020 GMT 17:02:53 ^ all of these sslcert::ca intermediates are expired, FWIW