Certificate verification error connecting to the cloud

General
1

Symptom: Agent can’t connect to cloud after Sep 30th.

2021-10-01 13:13:09: netdata ERROR : ACLK_Main : [mqtt_wss] E: verify error:num=10:certificate has expired:depth=3:/O=Digital Signature Trust Co./CN=DST Root CA X3

TL;DRFor TLS certificates issued by Let’s Encrypt, the root certificate (DST Root CA X3) in the default chain expires on September 30, 2021 . Due to their unique approach, the expired certificate will continue to be part of the certificate chain till 2024. This affects OpenSSL 1.0.2k on RHEL/CentOS 7 servers , and will result in applications/tools failing to establish TLS/HTTPS connections with a certificate has expired message.

As of 24/9/21, upgrading ca-certificates package ( 2021.2.50–72 ) should fix the issue. Version 2021.2.50–72 removes DST Root CA X3 .

3

Just to udpate that there is a more recent package to consider https://centos.pkgs.org/7/centos-updates-x86_64/ca-certificates-2021.2.50-72.el7_9.noarch.rpm.html

4

How about Debian 9 Stretch. Any hint how resolve error code 7?

5

I believe that yours is a more generic question of how to keep the certificate chain up to date. update-ca-certificates is available, but I don’t think we can offer specific advice. It may be best to ask on a different forum, perhaps stackoverflow will already have the answer. I’m just not sure what that “error code 7” is, so I couldn’t find anything online related to it.

6

Thanks.
I’ve made an issue on Github
#14989

https://github.com/netdata/netdata/issues/14989