How Let’s Encrypt certificate changes affect Live Patching Customers

The expiration of a root certificate in the Let’s Encrypt certification chain causes multiple issues, especially when coupled with older versions of OpenSSL like those in CentOS 7.

OpenSSL behaviour in that version would fail validation if it found a “bad” (read: expired) certificate anywhere along the certification path. This has a ripple effect, making the connections to KernelCare’s servers fail. Users of live patching services like KernelCare (any version) on CentOS 7 are encouraged to update the ca-certificates package, which removes the affected certificate and thus allows the live patching client to resume working as normal.

Continue reading “How Let’s Encrypt certificate changes affect Live Patching Customers”

ELS fix is available for Let’s Encrypt certificate changes

Let’s Encrypt is a practical way of obtaining certificates and implementing TLS encryption across a wide range of applications. Looking at the number of issued certificates, it is the largest Certificate Authority (CA) in the world. It is also widely used in automation scenarios due to its convenient renewal mechanism.

 

The recent expiration of a root certificate in the Let’s Encrypt default certification chain (September 30th, 2021) causes serious issues with older OpenSSL versions. However, patches for OpenSSL versions present in Centos 6/Oracle Linux 6/CloudLinux 6 are already available and should be deployed as soon as possible for all affected systems.

Continue reading “ELS fix is available for Let’s Encrypt certificate changes”