Red October for SSL Certs

Let's Encrypt's change of Root Certificate has lead to some weird and unexpected issues. Let's see how to deal with it, macOS and Gentoo. The most common problem are certificate errors browsing the web and connections not happening in pro of certificate security errors, kinda NET::ERR_CERT_DATE_INVALID error

Fix for macOS (as in El Capitan and older)

1. Download this Root Certificate:

NAME:
"ISRG Root X1"
(✅ Self-signed, ❌ NOT Cross-signed)
URL:
https://letsencrypt.org/certs/isrgrootx1.der

2. Verify that the fingerprints match (for safety, not essential):

So you know that the Root Certificate I've linked to is in fact the one that LE provides and Apple has certified/trusted.

This is for *your* safety since you *shouldn't* trust me.

FINGERPRINT (SHA-1):
CABD2A79A1076A31F21D253635CB039D4329A5E8

SOURCE:
https://letsencrypt.org/certificates/ (Active > ISRG Root X1 > Self-signed > der)
https://crt.sh/?id=9314791

WHAT APPLE SHIPS 10.12.1+:
https://support.apple.com/en-us/HT207189
- Search for: "ISRG Root X1"

You should see that the fingerprints match.

3. Install the certificate:

- Via "Keychain Access.app"
- `File > Import Items...`

You can install it into either the `login` or `system` keychain. But not `System Roots` (which is where it *would* be, if we were on 10.12.1+)

- login = Current user only
- system = All users

4. Manually "Trust" that certificate:

- Find it ("ISRG Root X1") in the list and double click on it.
- Open the "▶ Trust" area.
- Set: `When using this certificate:` to `Always Trust`
- Close the window, which will ask you to verify with your login password.

🏁 Done!

(via Scott Helme)

As for mi old Gentoo install

Refused to do a proper emerge --sync due to:

>>> Syncing repository 'gentoo' into '/usr/portage'...
* Using keys from /usr/share/openpgp-keys/gentoo-release.asc
* Refreshing keys via WKD ... [ !! ]
* Refreshing keys from keyserver hkps://keys.gentoo.org ...
OpenPGP keyring refresh failed:
gpg: refreshing 4 keys from hkps://keys.gentoo.org
gpg: keyserver refresh failed: General error

OpenPGP keyring refresh failed:
gpg: refreshing 4 keys from hkps://keys.gentoo.org
gpg: keyserver refresh failed: General error

Fix for Gentoo

emerge-webrsync
then
emerge -1uva app-misc/ca-certificates

🏁 Done!

Did you enjoy this post and find it valuable?

📡 Subscribe and sign the 📜 Guestbook!

Tip the author! Don't know what Bitcoin is yet?

1Mojitovwnpokdo8uLXvG93pEhBF6MNFoo