From nobody Mon Feb 9 01:30:44 2026 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of lists.xenproject.org designates 192.237.175.120 as permitted sender) client-ip=192.237.175.120; envelope-from=xen-devel-bounces@lists.xenproject.org; helo=lists.xenproject.org; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of lists.xenproject.org designates 192.237.175.120 as permitted sender) smtp.mailfrom=xen-devel-bounces@lists.xenproject.org; dmarc=pass(p=reject dis=none) header.from=citrix.com ARC-Seal: i=1; a=rsa-sha256; t=1677259799; cv=none; d=zohomail.com; s=zohoarc; b=i92G/hSGUh402cpyZV4vYOV87t+72o6DX9EwEVhX7LSNNgXiFpG/sdAYy7DCklfL/MeXofLQYqBGKxs7pkyK7QRI13evSYQvfFvk1G5PmrU49xpT5GFoVwgB6sbs/hxUgk3I8KEoh1thyjZ4mXgU6r0kXdxBVHmMVoefyQfbzII= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1677259799; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=j/bDein90ZZweL7NQWTl/OleqxtsaRBTV+weMWlpv/Y=; b=jwstwiSyafR/nHAze4kw6ZPV2fvaT1Jd5WUUoI+m/WpVoBdNZrPQOO16cTPvqrQb/72pRs+LxrazAe/CQd8/+hUE/FHXnjY1Nj+mT4QsuXIiTifqvKz+HTvD2u9r9nGXOeFIwSVJJRlWYjbIGtsMwCLxG2JkaPYCKc8jSYlpGx0= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of lists.xenproject.org designates 192.237.175.120 as permitted sender) smtp.mailfrom=xen-devel-bounces@lists.xenproject.org; dmarc=pass header.from= (p=reject dis=none) Return-Path: Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120]) by mx.zohomail.com with SMTPS id 1677259799109688.0287862681321; Fri, 24 Feb 2023 09:29:59 -0800 (PST) Received: from list by lists.xenproject.org with outflank-mailman.501345.773066 (Exim 4.92) (envelope-from ) id 1pVbt0-0001Ad-5H; Fri, 24 Feb 2023 17:29:34 +0000 Received: by outflank-mailman (output) from mailman id 501345.773066; Fri, 24 Feb 2023 17:29:34 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1pVbt0-0001AU-28; Fri, 24 Feb 2023 17:29:34 +0000 Received: by outflank-mailman (input) for mailman id 501345; Fri, 24 Feb 2023 17:29:32 +0000 Received: from se1-gles-flk1-in.inumbo.com ([94.247.172.50] helo=se1-gles-flk1.inumbo.com) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1pVbsy-0000bj-1s for xen-devel@lists.xenproject.org; Fri, 24 Feb 2023 17:29:32 +0000 Received: from esa2.hc3370-68.iphmx.com (esa2.hc3370-68.iphmx.com [216.71.145.153]) by se1-gles-flk1.inumbo.com (Halon) with ESMTPS id c8f907a6-b468-11ed-a82a-c9ca1d2f71af; Fri, 24 Feb 2023 18:29:29 +0100 (CET) X-Outflank-Mailman: Message body and most headers restored to incoming version X-BeenThere: xen-devel@lists.xenproject.org List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-devel-bounces@lists.xenproject.org Precedence: list Sender: "Xen-devel" X-Inumbo-ID: c8f907a6-b468-11ed-a82a-c9ca1d2f71af DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=citrix.com; s=securemail; t=1677259769; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=1ZVP9ILrNhbusIRgE8ATcFEGu4Gjie58ccJgoiV0r98=; b=X0Vij8GE+XKzqzP8iINDyFxUbYiR63g9uOezhfy10fmFZrm2YMI0TimO fH/+AToj+WTO/zySdXxKMQWDP8awDaliWlkfTNg17na/JbfNtdiyRmuRX KlqbQzyItX+erRR8oS6V+xV6rkCjOF3oGs8z6oUujQtwzvbtX8p+FtJdK E=; Authentication-Results: esa2.hc3370-68.iphmx.com; dkim=none (message not signed) header.i=none X-SBRS: 4.0 X-MesageID: 98354844 X-Ironport-Server: esa2.hc3370-68.iphmx.com X-Remote-IP: 162.221.156.123 X-Policy: $RELAYED IronPort-Data: A9a23:6RPR6qlcfYMDshxa1vzFXybo5gyZJkRdPkR7XQ2eYbSJt1+Wr1Gzt xJMDzqDM/vYMWSjKNskO97l9BhTvcLdy9VnT1RurCk8ECMWpZLJC+rCIxarNUt+DCFhoGFPt JxCN4aafKjYaleG+39B55C49SEUOZmgH+a6U6icfHgqH2eIcQ954Tp7gek1n4V0ttawBgKJq LvartbWfVSowFaYCEpNg064gE4p7auaVA8w5ARkPqgR5gOGzBH5MbpETU2PByqgKmVrNrbSq 9brlNmR4m7f9hExPdKp+p6TnpoiG+O60aCm0xK6aoD66vRwjnVaPpUTbZLwXXx/mTSR9+2d/ f0W3XCGpaXFCYWX8AgVe0Ew/yiTpsSq8pefSZS0mZT7I0Er7xIAahihZa07FdRwxwp5PY1B3 e0cORogSi6EvsP18eOKUedhv54CC+C+aevzulk4pd3YJfMvQJSFSKTW/95Imjw3g6iiH96HO ZBfM2A2Kk2dPVsWYAx/5JEWxY9EglH2dSFYr1SE47I6+WHJwCR60aT3McqTcduPLSlQthfI/ T+arzilav0cHMaF8hWCr2qdv7PwgHL3cqspHaT7+sc/1TV/wURMUUZLBDNXu8KRmkO4Ht5SN UEQ0i4vtrQpslymSMHnWB+1q2LCuQQTM/JbGvc27wylwaPO7wGUQGMDS1Zpc8c6vcU7QTgr0 F6hnN7zAzFr9rqPRhqgGqy89G3of3JPdClbOHFCFFFeizX+nG0tpgPLX/xONJCyt/y2KGDB2 D6HlXIfoJxG2KbnyJ6H1VzAhjutoL3AQQg0+hjbUwqZ0+9pWGK2T9f2sAaGtJ6sOK7cFwDc5 yZcx6By+chUVfmweDqxrPLh9V1Dz9KMK3XijFFmBPHNHBz9qif4Lei8DNyTTXqF0/romxezP Sc/WisLvve/2UdGiocmC79d8+xwkcDd+S3ND5g4lOZmbJlrbxOg9ypzf0OW1G2FuBFyzv5mZ sjBLpv9XSdy5UFbIN2eHbp17FPW7npmmTO7qW7TknxLLoZylFbKEOxYYTNin8gy7b+eoRW9z jqsH5Li9vmra8WnOnO/2ddKfTg3wY0TWcieRzp/KrTSfWKL2QgJV5fs/F/WU9A6w/8Izr+Vp xlQmCZwkTLCuJEOEi3SAlgLVV8ldc8XQa4TVcD0AWuV5g== IronPort-HdrOrdr: A9a23:FZq3Zq6fLKauuWrWPwPXwM7XdLJyesId70hD6qhwISY7TiX+rb HIoB17726MtN9/YhAdcLy7VZVoBEmsl6KdgrNhWYtKPjOHhILAFugLhuHfKn/bakjDH4ZmpM FdmsNFZuEYY2IXsS+D2njaL+od X-IronPort-AV: E=Sophos;i="5.97,325,1669093200"; d="scan'208";a="98354844" From: Anthony PERARD To: CC: Andrew Cooper , Anthony PERARD , Doug Goldstein , "Stefano Stabellini" Subject: [XEN PATCH v3 3/4] automation: Remove expired root certificates used to be used by let's encrypt Date: Fri, 24 Feb 2023 17:29:14 +0000 Message-ID: <20230224172915.39675-4-anthony.perard@citrix.com> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20230224172915.39675-1-anthony.perard@citrix.com> References: <20230224172915.39675-1-anthony.perard@citrix.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @citrix.com) X-ZM-MESSAGEID: 1677259800673100005 Content-Type: text/plain; charset="utf-8" While the Let's Encrypt root certificate ISRG_Root_X1.crt is already present, openssl seems to still check for the root certificate DST_Root_CA_X3.crt which has expired. This prevent https connections. Removing DST_Root_CA_X3 fix the issue. Signed-off-by: Anthony PERARD --- Notes: v3: - remove change to Debian Jessie containers, as we won't use them with HTTPS urls. =20 v2: - remove unneeded changes to CentOS containers automation/build/ubuntu/trusty.dockerfile | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/automation/build/ubuntu/trusty.dockerfile b/automation/build/u= buntu/trusty.dockerfile index b298a515c6..22e294c20c 100644 --- a/automation/build/ubuntu/trusty.dockerfile +++ b/automation/build/ubuntu/trusty.dockerfile @@ -47,3 +47,8 @@ RUN apt-get update && \ apt-get autoremove -y && \ apt-get clean && \ rm -rf /var/lib/apt/lists* /tmp/* /var/tmp/* + +# Remove expired certificate that Let's Encrypt certificates used to relie= on. +# (Not needed anymore) +RUN sed -i 's#mozilla/DST_Root_CA_X3\.crt#!\0#' /etc/ca-certificates.conf = && \ + update-ca-certificates --=20 Anthony PERARD