Certificate expired when connecting to coreos.com #1227
Labels
kind/bug
Something isn't working
Comments
github-project-automation
bot
moved this to 📝 Needs Triage
in Flatcar tactical, release planning, and roadmap
|
Please update to the latest version. You can't use an OS from 2020 because the TLS certificate database will be outdated. P.S.: If you even have problems connecting to the update server after re-enabling updates, you can follow the second paragraph here to update the instance: https://www.flatcar.org/docs/latest/migrating-from-coreos/update-from-container-linux/#the-migration-script |
github-project-automation
bot
moved this from 📝 Needs Triage
to Implemented
in Flatcar tactical, release planning, and roadmap
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Description
I'm using a Virtual Appliance for one major IDM Solution Provider, the VA uses a script to connect to coreos.com, when validating the error, following message appears:
Verify return code: 10 (certificate has expired)
Impact
Virtual Appliance can not complete the update and instalation process
Environment and steps to reproduce
Environment: Virtual Server with following os: cat /etc/os-release
NAME="Flatcar Container Linux by Kinvolk"
ID=flatcar
ID_LIKE=coreos
VERSION=2345.3.1
VERSION_ID=2345.3.1
BUILD_ID=2020-03-26-2026
PRETTY_NAME="Flatcar Container Linux by Kinvolk 2345.3.1 (Rhyolite)"
ANSI_COLOR="38;5;75"
HOME_URL="https://flatcar-linux.org/"
BUG_REPORT_URL="https://issues.flatcar-linux.org/"
FLATCAR_BOARD="amd64-usr"
Connect to coreos.com using openssl client.
Reports: verify error:num=10:certificate, detailed output in "Additional information"
Expected behavior
A succesful TLS connection with coreos.com (with a non-expired certificate)
Additional information
openssl s_client -connect coreos.com:443
CONNECTED(00000003)
depth=3 O = Digital Signature Trust Co., CN = DST Root CA X3
verify error:num=10:certificate has expired
notAfter=Sep 30 14:01:15 2021 GMT
Certificate chain
0 s:/CN=redirects.redhat.com
i:/C=US/O=Let's Encrypt/CN=R3
1 s:/C=US/O=Let's Encrypt/CN=R3
i:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
2 s:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
i:/O=Digital Signature Trust Co./CN=DST Root CA X3
Server certificate
-----BEGIN CERTIFICATE-----
MIIE9DCCA9ygAwIBAgISA66gXX2t1FV0jmd70B/oEBHIMA0GCSqGSIb3DQEBCwUA
MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
EwJSMzAeFw0yMzA5MTIyMzA4MzBaFw0yMzEyMTEyMzA4MjlaMB8xHTAbBgNVBAMT
FHJlZGlyZWN0cy5yZWRoYXQuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
CgKCAQEAtHdeCYA6N9SAcy//M/OxabU6XZgabtiFCo+eVeyfGLmo2g81t/SOU9XL
6wL0t5wkqa4uAOsuAQNx1Hu/09lDkwSeMx7a5fQ7lwuU/MjEQm5VQd73V2sHEffu
mcr/PLTPQzEaV59xa5TV8M8v4GjJ8w1u+uLCG+CkvWaemvCuKAXdL66YqGMRWs6a
zLRhrq2FGJzsiZOXdvCwSUiH2Ia9WkYPiY9VZ1PUlUQAgjOYw7NvHAGYy9yVwxeN
rq3LLgU8J7mgeCF+41xlIJmStwdI21DIGLJFcADNBRRTTQdfTurXxyOdmghcI7/2
Ce8W2gp00C/YbcuN0N1xk8qczScsKQIDAQABo4ICFTCCAhEwDgYDVR0PAQH/BAQD
AgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAA
MB0GA1UdDgQWBBQTR6eCpt1ypPdSv5o0UaIQnVUlHDAfBgNVHSMEGDAWgBQULrMX
t1hWy65QCUDmH6+dixTCxjBVBggrBgEFBQcBAQRJMEcwIQYIKwYBBQUHMAGGFWh0
dHA6Ly9yMy5vLmxlbmNyLm9yZzAiBggrBgEFBQcwAoYWaHR0cDovL3IzLmkubGVu
Y3Iub3JnLzAfBgNVHREEGDAWghRyZWRpcmVjdHMucmVkaGF0LmNvbTATBgNVHSAE
DDAKMAgGBmeBDAECATCCAQMGCisGAQQB1nkCBAIEgfQEgfEA7wB2ALc++yTfnE26
dfI5xbpY9Gxd/ELPep81xJ4dCYEl7bSZAAABioveNUkAAAQDAEcwRQIhAK9cNQev
phrZoM+xw+DEl3PeYJhR67Th2Bk39u0tUnM7AiBIpJebeJpnLlmnMbrC/2ezSNMS
Qh50I3l8WRz2qIK9MgB1AK33vvp8/xDIi509nB4+GGq0Zyldz7EMJMqFhjTr3IKK
AAABioveNYEAAAQDAEYwRAIgQzkvjaUzRmLuzLfdFXFLV9u3UhCyoaTGTdN01LCL
0+wCIHsBY/BZOSK5vNgtcwWNtCuU4Yqkx/0CVaBBC4+E23eNMA0GCSqGSIb3DQEB
CwUAA4IBAQCym33YGqGrXYbqRBxz3I7cQkvQrY1SzWnc05oTeQFQRQVlCTaVVZCK
FNfiEWWdYwK7mV1JZsB0E6I8EivvbJbw1Xx5z/6gdBlkXy8gwlZHCuJU+gQDm6RD
tx9d3BTKatni65Hgy/ssIh21JelF6bA6ujpA7eCLOtbWRzpR3vmkbVNYtFrORkGx
oOkYYYQdXMqReJcKLW5P0U4/If+QjJdUBCNecFX8FuhlVGyZmKyxFObjWtNTH5JF
AwUAYqcAqLessdISr6V3N4tO35tUSNSCY2XwHOIryIShTmsPADvpZEkh/QFlBgUX
ktn2wuAOLTdHD0TW6O6ZdlR4VVlcRzrc
-----END CERTIFICATE-----
subject=/CN=redirects.redhat.com
issuer=/C=US/O=Let's Encrypt/CN=R3
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
SSL handshake has read 4650 bytes and written 416 bytes
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: 15E03D63FFDF14006BE7C4835BEC988888D7056BEC887E86B890030D15267C84
Session-ID-ctx:
Master-Key: FFCA32A455AFFBA26444B54FC207501CD2CC77D670D5474860104AC3B59C5FCF133BED6ED2875D383BEBFDC64C7BE1F8
Key-Arg : None
PSK identity: None
PSK identity hint: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - 91 c2 b5 17 61 e7 38 92-66 f8 f7 0f 48 9a f8 bb ....a.8.f...H...
0010 - 3b d8 d9 d6 2a 97 bb dc-6f 78 a5 ad 82 aa 10 d9 ;...*...ox......
0020 - ea a2 01 e9 c5 06 f5 e8-f7 0f 11 77 6f 07 28 d4 ...........wo.(.
0030 - 38 a7 3b a7 8b 7a 19 0b-cd d3 26 3c 27 a6 00 4c 8.;..z....&<'..L
0040 - 69 aa 02 dc fe af a3 48-b8 97 4a 9b 43 4e c8 d5 i......H..J.CN..
0050 - b8 5a b2 01 f5 1b 7d 98-78 8f f0 60 63 f5 c1 47 .Z....}.x..`c..G
0060 - f9 b6 f0 9b 61 00 4f 2d-13 8f 33 ac 4f e0 26 12 ....a.O-..3.O.&.
0070 - c3 18 54 90 0c 98 7b 71-7e d2 44 27 30 f1 c0 85 ..T...{q~.D'0...
0080 - 13 51 c6 ff 54 29 41 4d-ca 06 41 a7 02 a0 5a 08 .Q..T)AM..A...Z.
0090 - 0e 16 de a6 29 26 f5 fe-90 06 e7 7d 6b c8 90 83 ....)&.....}k...
00a0 - 76 25 e7 f6 5e 9c 33 0e-ce 24 bd ad 95 30 1f ce v%..^.3..$...0..
00b0 - ea 61 04 e0 22 55 b5 1b-90 f1 ae c1 21 7f df 83 .a.."U......!...
Start Time: 1698965750
Timeout : 300 (sec)
Verify return code: 10 (certificate has expired)
The text was updated successfully, but these errors were encountered: