certificate /etc/ssl/certs/cacert-class3.crt expiration warning

aikempshall · 05-19-2021, 08:00 AM

In the last 4 days root has been mailed to say that

Quote:

WARNING: certificate /etc/ssl/certs/cacert-class3.crt
is about to expire in time equal to or less than 7 days from now on,
or has already expired - it might be a good idea to obtain/create new one.

NOTE: This message is being sent only once.

A lock-file
/var/run/certwatch-mailwarning-sent-cacert-class3.crt
has been created, which will prevent this script from mailing you again
upon its subsequent executions by crond. You dont need to care about it;
the file will be auto-deleted as soon as you'll prolong your certificate.

What should I do?

CTM · 05-19-2021, 03:56 PM

Short version: you (or a third-party package you installed) added one of CAcert's intermediate TLS certificates to the OpenSSL trusted certificates directory (/etc/ssl/certs, typically managed by the ca-certificates package). That certificate is about to expire. Consider whether you actually trust CAcert, and if so, replace that certificate with the new one and run "update-ca-certificates" as root.

Long version: CAcert is a community-maintained TLS certificate authority. It operates outside of the Internet's prevalent public key infrastructure, meaning that its root certificate isn't signed by one of the main certificate authorities and therefore isn't trusted by major operating systems (including Slackware, so you didn't get this certificate via the ca-certificates package). At some point in the last ten years, you installed CAcert's Class 3 CA certificate - generated in June 2011, and valid for ten years - to OpenSSL's trusted certificates directory. certwatch (a cron job installed by the openssl package) is mailing you to tell you that that CA certificate is about to expire, and that OpenSSL will refuse to verify any certificate chain containing that CA in a week's time. If you don't know why CAcert is in your trusted certificates directory, or don't recall installing it there, the safest thing to do would be to remove it: it wasn't installed by Slackware, and the impact to you will likely be zero since hardly anyone asks CAcert to sign their certificates (especially with the rise of Let's Encrypt, a free CA that is trusted by all major operating systems). If you want to continue trusting CAcert, you'll need to download the replacement Class 3 CA certificate - valid for another ten years, until April 2031 - and regenerate the database of trusted certificates by running "update-ca-certificates" as root.

aikempshall · 05-20-2021, 02:13 AM

Thanks for the detailed explanation.

I don't know where the certificate came from and it seems to suggest that it's almost 10 years old. It also doesn't appear on any of my other machines.

So I removed it

Code:

rm /etc/ssl/certs/cacert-class3.crt
update-ca-certificates

which resulted in

Quote:

Updating certificates in /etc/ssl/certs...
3 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...
done.

Am I able to find what's been added?

The results look a bit odd. I was hoping for

Quote:

Updating certificates in /etc/ssl/certs...
0 added, 1 removed; done.
Running hooks in /etc/ca-certificates/update.d...
done.

CTM · 05-20-2021, 05:38 PM

I don't think there's a way you can find out what update-ca-certificates did after the fact, but if you're concerned about other certificates lurking in the trusted certificates directory that you might not necessarily trust, you could check what's in there that didn't come from the ca-certificates package:

Code:

# Certificates that are regular files (except for the big bundle created by update-ca-certificates), which have been manually installed:
find /etc/ssl/certs -type f \! -name ca-certificates.crt

# Links to certificates that didn't come from ca-certificates:
find /etc/ssl/certs -type l | xargs readlink -f | grep -v ^/usr/share/ca-certificates/

aikempshall · 05-21-2021, 05:13 AM

Thanks CTM

The result from running the code is

/etc/ssl/certs/cacert-root.crt

Should I remove this in the same way that I removed /etc/ssl/certs/cacert-class3.crt then rerun update-ca-certificates ?

CTM · 05-21-2021, 04:55 PM

Yes - that'll be CAcert's Root CA certificate, which is used to sign the Class 3 CA certificate. Unless you also remove that, certificates signed by CAcert will still be trusted (because the certificate chain will terminate with one or more certificates in your trusted certificates directory).