Jump to content

dark_pyrro

Dedicated Members
 View Profile  See their activity

  • Posts

    2,618

  • Joined

  • Last visited

  • Days Won

    198

 Content Type 

Everything posted by dark_pyrro

  1. dark_pyrro
    From my post(s) on Discord: It could be linked to the fact that Let's Encrypt changed their root certificate as per the 30th of September. This can/will create problems for certain devices and operating systems. There is a fair amount of general info about this on the internet to read and how to solve it. Since the Croc is running Debian Jessie 8, it could be working, or not. Jessie is one of the operating systems that could work depending on how updated it is. If it's not updated, it might not work since it trusts the old/unsupported chain and root cert. So, IdenTrust DST Root CA X3 has expired and ISRG Root X1 is the one to use. Validate the chain (for example using the "openssl" command on the Croc). It will perhaps say that the chain ends up with the expired IdenTrust DST Root CA X3 certificate. The scenario might be worth checking at least. On the Croc, do the following First check if this is the problem you are facing or not, either by executing: openssl s_client -connect your.c2-domain.com:443 -servername your.c2-domain.com or: curl -I https://your.c2-domain.com/ Both should indicate that the certificate has expired (the root certificate that is) Verify if the expired "DST Root CA X3" certificate is available on the system (hence probably giving you problems with the Croc), it will be there if you got expired certificate issues from the commands above Command: grep X3 /etc/ca-certificates.conf Output (or the vital part of it): mozilla/DST_Root_CA_X3.crt Older Debian releases most likely have the needed ISRG Root X1 present as well Command: grep X1 /etc/ca-certificates.conf Output (or the vital part of it): mozilla/ISRG_Root_X1.crt "Backup" the ca-certificates.conf file cp /etc/ca-certificates.conf /etc/ca-certificates.conf.old1 Disable/remove/"blacklist" the X3 root certificate: sed -i '/^mozilla\/DST_Root_CA_X3/s/^/!/' /etc/ca-certificates.conf Then execute: update-ca-certificates -f Check that the change has taken place. The output of the command below should show the "DST Root CA X3" as the "diff" since it's removed diff /etc/ca-certificates.conf /etc/ca-certificates.conf.old1 Verify the certificate chain again, it should now be OK (or, if you have C2 running, the Croc should show up more or less immediately after the "update-ca-certificates" command has been executed): openssl s_client -connect your.c2-domain.com:443 -servername your.c2-domain.com and/or: curl -I https://your.c2-domain.com/
×
×
  • Create New...