letsencrypt problem on linux
-
One of letsencrypt root certs expired today, and their backup trust relationship seems to be causing problems with api calls to or from jsreport running on CentOS8.
If I open jsreport studio or my web api up in a browser, it works fine, because the browser understands the new trust relationship. However, if I make api calls to jsreport from my c# code, i get certificate errors - and conversely, if my jsreport script makes api calls to my c# web api also running on the same machine, it gets certificate errors - so it seems that both node and dotnet core 3.1 for linux don't know how to deal with the newer root cert letsencrypt is now using.
I was able to work around the problem by changing my c# code and the jsreport startup script to ignore certificate errors but am hoping someone else runs into this problem who knows how to fix it correctly. I presume there is a way to add a new root cert to both node and dotnet on linux, but it looked to me like at least for node, they are maybe compiled in at build time rather than read from say the filesystem? I tried upgrading both node and dotnet to latest LTS, but that didn't fix it unfortunately.
You can read more about the change that broke things here:
https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/
-
Postman seems to have the same problem:
https://github.com/postmanlabs/postman-app-support/issues/10338
-
FWIW, a better workaround I think is just to switch the CA that acme.sh or whatever you ACME client may be uses - everybody is getting in on the free certificate game now:
https://github.com/acmesh-official/acme.sh/wiki/ZeroSSL.com-CA
That fixed it for me.