Fixing Sectigo/Comodo SSL certificate expiry error on Ubuntu servers and Docker containers

Was alerted this morning to server applications failing due to an expired SSL certificate, with logs showing cURL errors. The weird thing was there was still half a month to go before the expiry date. Also, this problem does not affect browsers as the major browsers have already been updated.

Importing the renewed SSL certificate into AWS Certificate Manager did not help. Googled around and found that the problem was due to Sectigo AddTrust External CA Root Expiring May 30, 2020. And if Sectigo sounds unfamiliar, it’s basically a rebranding of Comodo.

Found a solution in this StackOverflow post, which worked directly on servers but needed some adjustments to apply them to Docker containers.

Firstly, a summary of the instructions for Ubuntu servers:

  1. SSH into the server. You may need to run the commands with sudo.
  2. Test the affected domain with cURL, e.g. curl https://example.com, and you will see the error “curl: (60) SSL certificate problem: certificate has expired”.
  3. Open up /etc/ca-certificates.conf with your favourite editor (nano, vi) and comment out those lines specifying AddTrust_External_Root.crt. Save the file and exit.
  4. Run apt update && apt install ca-certificates.
  5. Run update-ca-certificates -f -v.
  6. Try step 2 again. If cURL still does not work, try step 3, as the previous 2 commands may add new lines specifying AddTrust_External_Root.crt.

Now, for the Docker containers. 2 main issues are updating the Dockerfile and running the commands on the Docker containers when no text editors (nano, vi) are installed. The latter works as a quick stop-gap measure while waiting for the Dockerfile to be updated and deployed. sed is used to comment out the line in the CA config file in the absence of text editors.

  1. Update the Dockerfile and add the following:

          sed -i 's/mozilla\/AddTrust_External_Root.crt/#mozilla\AddTrust_External_Root.crt/g' /etc/ca-certificates.conf
          apt update && apt install ca-certificates
          update-ca-certificates -f -v
        
  2. This step and the following steps are to be run on the Docker containers. SSH into the server running the Docker containers (it is assumed that the server itself has been updated). You may need to run the commands with sudo.
  3. List the running containers with docker ps.
  4. Find the container ID of the affected container(s) and run a shell using docker exec -it <CONTAINER_ID> bash.

  5. Test the affected domain with cURL, e.g. curl https://example.com, and you will see the error “curl: (60) SSL certificate problem: certificate has expired”.
  6. Run the following commands:

          sed -i 's/mozilla\/AddTrust_External_Root.crt/#mozilla\AddTrust_External_Root.crt/g' /etc/ca-certificates.conf
          apt update && apt install ca-certificates
          update-ca-certificates -f -v
        
  7. Try step 5 again. If cURL still does not work, run the sed command again, as the other 2 commands may add new lines specifying AddTrust_External_Root.crt.
  8. Repeat steps 4 to 7 for the other affected Docker containers.