Was alerted this morning to server applications failing due to an expired SSL certificate, with logs showing cURL errors. The weird thing was there was still half a month to go before the expiry date. Also, this problem does not affect browsers as the major browsers have already been updated.
Importing the renewed SSL certificate into AWS Certificate Manager did not help. Googled around and found that the problem was due to Sectigo AddTrust External CA Root Expiring May 30, 2020. And if Sectigo sounds unfamiliar, it’s basically a rebranding of Comodo.
Found a solution in this StackOverflow post, which worked directly on servers but needed some adjustments to apply them to Docker containers.
Firstly, a summary of the instructions for Ubuntu servers:
- SSH into the server. You may need to run the commands with
sudo. -
Test the affected domain with cURL, e.g.
curl https://example.com, and you will see the error “curl: (60) SSL certificate problem: certificate has expired”. -
Open up
/etc/ca-certificates.confwith your favourite editor (nano, vi) and comment out those lines specifyingAddTrust_External_Root.crt. Save the file and exit. - Run
apt update && apt install ca-certificates. - Run
update-ca-certificates -f -v. -
Try step 2 again. If cURL still does not work, try step 3, as the previous 2 commands may add new lines specifying
AddTrust_External_Root.crt.
Now, for the Docker containers. 2 main issues are updating the Dockerfile and running the commands on the Docker containers when no text editors (nano, vi) are installed. The latter works as a quick stop-gap measure while waiting for the Dockerfile to be updated and deployed. sed is used to comment out the line in the CA config file in the absence of text editors.
-
Update the Dockerfile and add the following:
sed -i 's/mozilla\/AddTrust_External_Root.crt/#mozilla\AddTrust_External_Root.crt/g' /etc/ca-certificates.conf apt update && apt install ca-certificates update-ca-certificates -f -v -
This step and the following steps are to be run on the Docker containers. SSH into the server running the Docker containers (it is assumed that the server itself has been updated). You may need to run the commands with
sudo. - List the running containers with
docker ps. -
Find the container ID of the affected container(s) and run a shell using
docker exec -it <CONTAINER_ID> bash. Ifbashdoesn’t work, trysh. -
Test the affected domain with cURL, e.g.
curl https://example.com, and you will see the error “curl: (60) SSL certificate problem: certificate has expired”. -
Run the following commands:
sed -i 's/mozilla\/AddTrust_External_Root.crt/#mozilla\AddTrust_External_Root.crt/g' /etc/ca-certificates.conf apt update && apt install ca-certificates update-ca-certificates -f -v -
Try step 5 again. If cURL still does not work, run the
sedcommand again, as the other 2 commands may add new lines specifyingAddTrust_External_Root.crt. - Repeat steps 4 to 7 for the other affected Docker containers.