[Let's Encrypt] Remove ISRG Root X1 intermediate CA cert issued by expired DST Root CA X3
Version
15.5.1-ce.0 (upgraded all the way from very, very long ago)
Summary
While having a pentest being done the pentesters noted that our gitlab server does return 2 certificate paths:
One with the Let's Encrypt certificate "ISRG Root X1" being self-signed an in trust stores on all browsers. No issues with that path.
Besides that path the gitlab server sends an additional "ISRG Root X1" certificate that was signed by the expired root-CA 'DST Root CA X3'.
We manually removed that certificate from /etc/gitlab/ssl/foo.crt but after gitlab renewing the certificate the "ISRG Root X1" certificate signed by the expired root-CA 'DST Root CA X3' is back again.
I'm looking for a permanent way to force gitlab to omit the 2nd "ISRG Root X1" certificate in the .crt file.
Certificate Paths
Logs
* acme_certificate[production] action create
* file[my.gitlab.url.example.com SSL key] action nothing (skipped due to action :nothing)
* file[my.gitlab.url.example.com SSL key] action create_if_missing (up to date)
* directory[/etc/gitlab/ssl] action create (up to date)
* file[/etc/gitlab/ssl/letsencrypt_account_private_key.pem] action create
- create new file /etc/gitlab/ssl/letsencrypt_account_private_key.pem
- update content in file /etc/gitlab/ssl/letsencrypt_account_private_key.pem from none to 65e299
- suppressed sensitive resource
- change mode from '' to '0600'
* directory[/var/opt/gitlab/nginx/www/.well-known/acme-challenge] action nothing (skipped due to action :nothing)
* directory[/var/opt/gitlab/nginx/www/.well-known/acme-challenge] action create (up to date)
* file[/var/opt/gitlab/nginx/www/.well-known/acme-challenge/T7_UsUHjjQRVfB0S-6AumKLnNTVUcSvEaVJTbHeKYjY] action nothing (skipped due to action :nothing)
* file[/var/opt/gitlab/nginx/www/.well-known/acme-challenge/T7_UsUHjjQRVfB0S-6AumKLnNTVUcSvEaVJTbHeKYjY] action create
- create new file /var/opt/gitlab/nginx/www/.well-known/acme-challenge/T7_UsUHjjQRVfB0S-6AumKLnNTVUcSvEaVJTbHeKYjY
- update content in file /var/opt/gitlab/nginx/www/.well-known/acme-challenge/T7_UsUHjjQRVfB0S-6AumKLnNTVUcSvEaVJTbHeKYjY from none to 1feb2f
--- /var/opt/gitlab/nginx/www/.well-known/acme-challenge/T7_UsUHjjQRVfB0S-6AumKLnNTVUcSvEaVJTbHeKYjY 2022-10-31 12:40:26.305866876 +0100
+++ /var/opt/gitlab/nginx/www/.well-known/acme-challenge/.chef-T7_UsUHjjQRVfB0S-6AumKLnNTVUcSvEaVJTbHeKYjY20221031-1710542-9jurlk 2022-10-31 12:40:26.305866876 +0100
@@ -1 +1,2 @@
+T7_UsUHjjQRVfB0S-6AumKLnNTVUcSvEaVJTbHeKYjY.OX9ZhvckrKR-Y06m0WatIBiMJT5UE2u9Bpc5gcY1_S4
- change mode from '' to '0644'
- change owner from '' to 'root'
- change group from '' to 'root'
* file[/var/opt/gitlab/nginx/www/.well-known/acme-challenge/T7_UsUHjjQRVfB0S-6AumKLnNTVUcSvEaVJTbHeKYjY] action delete
- delete file /var/opt/gitlab/nginx/www/.well-known/acme-challenge/T7_UsUHjjQRVfB0S-6AumKLnNTVUcSvEaVJTbHeKYjY
* ruby_block[create certificate for my.gitlab.url.example.com] action run
* file[my.gitlab.url.example.com SSL new crt] action create
- update content in file /etc/gitlab/ssl/my.gitlab.url.example.com.crt from 78f598 to 01f59f
--- /etc/gitlab/ssl/my.gitlab.url.example.com.crt 2022-10-31 12:40:16.697954182 +0100
+++ /etc/gitlab/ssl/.chef-gitty20221031-1710542-x12gbe.example.com.crt 2022-10-31 12:40:29.333839993 +0100
@@ -1,19 +1,94 @@
-----BEGIN CERTIFICATE-----
+censored server certificate
+-----END CERTIFICATE-----
+
+-----BEGIN CERTIFICATE-----
+MIIFFjCCAv6gAwIBAgIRAJErCErPDBinU/bWLiWnX1owDQYJKoZIhvcNAQELBQAw
+TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
+cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMjAwOTA0MDAwMDAw
+WhcNMjUwOTE1MTYwMDAwWjAyMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg
+RW5jcnlwdDELMAkGA1UEAxMCUjMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
+AoIBAQC7AhUozPaglNMPEuyNVZLD+ILxmaZ6QoinXSaqtSu5xUyxr45r+XXIo9cP
+R5QUVTVXjJ6oojkZ9YI8QqlObvU7wy7bjcCwXPNZOOftz2nwWgsbvsCUJCWH+jdx
+sxPnHKzhm+/b5DtFUkWWqcFTzjTIUu61ru2P3mBw4qVUq7ZtDpelQDRrK9O8Zutm
+NHz6a4uPVymZ+DAXXbpyb/uBxa3Shlg9F8fnCbvxK/eG3MHacV3URuPMrSXBiLxg
+Z3Vms/EY96Jc5lP/Ooi2R6X/ExjqmAl3P51T+c8B5fWmcBcUr2Ok/5mzk53cU6cG
+/kiFHaFpriV1uxPMUgP17VGhi9sVAgMBAAGjggEIMIIBBDAOBgNVHQ8BAf8EBAMC
+AYYwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMBIGA1UdEwEB/wQIMAYB
+Af8CAQAwHQYDVR0OBBYEFBQusxe3WFbLrlAJQOYfr52LFMLGMB8GA1UdIwQYMBaA
+FHm0WeZ7tuXkAXOACIjIGlj26ZtuMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcw
+AoYWaHR0cDovL3gxLmkubGVuY3Iub3JnLzAnBgNVHR8EIDAeMBygGqAYhhZodHRw
+Oi8veDEuYy5sZW5jci5vcmcvMCIGA1UdIAQbMBkwCAYGZ4EMAQIBMA0GCysGAQQB
+gt8TAQEBMA0GCSqGSIb3DQEBCwUAA4ICAQCFyk5HPqP3hUSFvNVneLKYY611TR6W
+PTNlclQtgaDqw+34IL9fzLdwALduO/ZelN7kIJ+m74uyA+eitRY8kc607TkC53wl
+ikfmZW4/RvTZ8M6UK+5UzhK8jCdLuMGYL6KvzXGRSgi3yLgjewQtCPkIVz6D2QQz
+CkcheAmCJ8MqyJu5zlzyZMjAvnnAT45tRAxekrsu94sQ4egdRCnbWSDtY7kh+BIm
+lJNXoB1lBMEKIq4QDUOXoRgffuDghje1WrG9ML+Hbisq/yFOGwXD9RiX8F6sw6W4
+avAuvDszue5L3sz85K+EC4Y/wFVDNvZo4TYXao6Z0f+lQKc0t8DQYzk1OXVu8rp2
+yJMC6alLbBfODALZvYH7n7do1AZls4I9d1P4jnkDrQoxB3UqQ9hVl3LEKQ73xF1O
+yK5GhDDX8oVfGKF5u+decIsH4YaTw7mP3GFxJSqv3+0lUFJoi5Lc5da149p90Ids
+hCExroL1+7mryIkXPeFM5TgO9r0rvZaBFOvV2z0gp35Z0+L4WPlbuEjN/lxPFin+
+HlUjr8gRsI3qfJOQFy/9rKIJR0Y/8Omwt/8oTWgy1mdeHmmjk7j1nYsvC9JSQ6Zv
+MldlTTKB3zhThV1+XWYp6rjd5JW1zbVWEkLNxE7GJThEUG3szgBVGP7pSWTUTsqX
+nLRbwHOoq7hHwg==
+-----END CERTIFICATE-----
+
+-----BEGIN CERTIFICATE-----
+MIIFYDCCBEigAwIBAgIQQAF3ITfU6UK47naqPGQKtzANBgkqhkiG9w0BAQsFADA/
+MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
+DkRTVCBSb290IENBIFgzMB4XDTIxMDEyMDE5MTQwM1oXDTI0MDkzMDE4MTQwM1ow
+TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
+cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwggIiMA0GCSqGSIb3DQEB
+AQUAA4ICDwAwggIKAoICAQCt6CRz9BQ385ueK1coHIe+3LffOJCMbjzmV6B493XC
+ov71am72AE8o295ohmxEk7axY/0UEmu/H9LqMZshftEzPLpI9d1537O4/xLxIZpL
+wYqGcWlKZmZsj348cL+tKSIG8+TA5oCu4kuPt5l+lAOf00eXfJlII1PoOK5PCm+D
+LtFJV4yAdLbaL9A4jXsDcCEbdfIwPPqPrt3aY6vrFk/CjhFLfs8L6P+1dy70sntK
+4EwSJQxwjQMpoOFTJOwT2e4ZvxCzSow/iaNhUd6shweU9GNx7C7ib1uYgeGJXDR5
+bHbvO5BieebbpJovJsXQEOEO3tkQjhb7t/eo98flAgeYjzYIlefiN5YNNnWe+w5y
+sR2bvAP5SQXYgd0FtCrWQemsAXaVCg/Y39W9Eh81LygXbNKYwagJZHduRze6zqxZ
+Xmidf3LWicUGQSk+WT7dJvUkyRGnWqNMQB9GoZm1pzpRboY7nn1ypxIFeFntPlF4
+FQsDj43QLwWyPntKHEtzBRL8xurgUBN8Q5N0s8p0544fAQjQMNRbcTa0B7rBMDBc
+SLeCO5imfWCKoqMpgsy6vYMEG6KDA0Gh1gXxG8K28Kh8hjtGqEgqiNx2mna/H2ql
+PRmP6zjzZN7IKw0KKP/32+IVQtQi0Cdd4Xn+GOdwiK1O5tmLOsbdJ1Fu/7xk9TND
+TwIDAQABo4IBRjCCAUIwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYw
+SwYIKwYBBQUHAQEEPzA9MDsGCCsGAQUFBzAChi9odHRwOi8vYXBwcy5pZGVudHJ1
+c3QuY29tL3Jvb3RzL2RzdHJvb3RjYXgzLnA3YzAfBgNVHSMEGDAWgBTEp7Gkeyxx
++tvhS5B1/8QVYIWJEDBUBgNVHSAETTBLMAgGBmeBDAECATA/BgsrBgEEAYLfEwEB
+ATAwMC4GCCsGAQUFBwIBFiJodHRwOi8vY3BzLnJvb3QteDEubGV0c2VuY3J5cHQu
+b3JnMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly9jcmwuaWRlbnRydXN0LmNvbS9E
+U1RST09UQ0FYM0NSTC5jcmwwHQYDVR0OBBYEFHm0WeZ7tuXkAXOACIjIGlj26Ztu
+MA0GCSqGSIb3DQEBCwUAA4IBAQAKcwBslm7/DlLQrt2M51oGrS+o44+/yQoDFVDC
+5WxCu2+b9LRPwkSICHXM6webFGJueN7sJ7o5XPWioW5WlHAQU7G75K/QosMrAdSW
+9MUgNTP52GE24HGNtLi1qoJFlcDyqSMo59ahy2cI2qBDLKobkx/J3vWraV0T9VuG
+WCLKTVXkcGdtwlfFRjlBz4pYg1htmf5X6DYO8A4jqv2Il9DjXA6USbW1FzXSLr9O
+he8Y4IWS6wY7bCkjCWDcRQJMEhg76fsO3txE+FiYruq9RUWhiF1myv4Q6W+CyBFC
+Dfvp7OOGAN6dEOM4+qR9sdjoSYKEBpsr6GtPAQw4dy753ec5
-----END CERTIFICATE-----
- execute the ruby block create certificate for my.gitlab.url.example.com
* file[/etc/gitlab/ssl/letsencrypt_account_private_key.pem] action delete
- delete file /etc/gitlab/ssl/letsencrypt_account_private_key.pemThe first CERTIFICATE block is the servers certificate:
Issuer: C = US, O = Let's Encrypt, CN = R3
Subject: CN = my.gitlab.url.example.comThe second CERTIFICATE block is the "R3" intermediate cert:
Issuer: C = US, O = Internet Security Research Group, CN = ISRG Root X1
Subject: C = US, O = Let's Encrypt, CN = R3The last CERTIFICATE block is the offending one:
Issuer: O = Digital Signature Trust Co., CN = DST Root CA X3
Subject: C = US, O = Internet Security Research Group, CN = ISRG Root X1Why is this certificate inserted into the chain? It serves no purpose after "DST Root CA X3" expired on 30 Sep 2021.
Edited by 🤖 GitLab Bot 🤖