The expiration of a root certificate in the Let’s Encrypt certification chain causes multiple issues, especially when coupled with older versions of OpenSSL like those in CentOS 7.
OpenSSL behaviour in that version would fail validation if it found a “bad” (read: expired) certificate anywhere along the certification path. This has a ripple effect, making the connections to KernelCare’s servers fail. Users of live patching services like KernelCare (any version) on CentOS 7 are encouraged to update the ca-certificates package, which removes the affected certificate and thus allows the live patching client to resume working as normal.
Continue reading “How Let’s Encrypt certificate changes affect Live Patching Customers”