Sobi Blog

Find interesting stuff about SobiPro, Joomla and things around these famous CMS and directory system in the Sobi Blog. The blog articles describe also things you always wanted to know to build a unique and impressive site.

The day the AddTrust External CA Root Certificate expired

On 30 May 2020, the AddTrust External CA Root Certificate expired. Expiration of a certificate is nothing unusual. Certificates expire all the time, and certification authorities expire once in many years (20+ years). But on 30 May 2020, the expiring certification authority creates an issue, which makes our SobiPro repository unavailable for some of our customers.

Unfortunately it took some time until we completely understood what happened to our repository and how to fix it.

Certificate Authorities control multiple root certificates, and the older root certificates are generally more widely distributed on older servers. Certificate Authorities generate cross-certificates to ensure that their certificates are supported as widely as possible. A cross-certificate uses the same public key as the root being signed, and the same subject.

Our repository uses a certificate issued by the COMODO RSA Certification Authority. Sectigo (formerly Comodo) operates a root certificate named AddTrust External CA Root, used to establish cross-certificates to modern Sectigo root certificates, the COMODO RSA Certification Authority and USERTrust RSA Certification Authority. Until 2038, those root certifications do not expire.
The AddTrust External CA Root, however, expired on May 30th 2020.

What happens?

The SobiPro repository shows expired certificate.

SSL validation error: The SSL certificate for the SobiPro repository has expired.

Checking the certificate shows that it is good until 29 September 2020, but SobiPro is not able to validate it positively.

And it is not possible to add the repository again. If fact, SobiPro does not even try to connect to the repository because the validation of the repository certificate fails. This is the correct behaviour if the certificate is indeed expired.

This problem does not happen for all users, so it also does not happen for us or our support staff. But we have an old local testing server and here the problem happens too.

As connecting to the repository with a browser does also not show any problems, we concentrated on the way SobiPro connects to the repository. SobiPro uses CURL via SSL, which needs an OpenSSL (or similar) library installed on the server SobiPro is running.

After 30 May 2020, modern SSL libraries and browsers will chain back to the modern root certificates that the older AddTrust was used to cross sign. No problems will occur on updated, newer servers which has had updates made.

The library being in charge for the problem is OpenSSL. There is a bug in OpenSSL versions below 1.1.1, where OpenSSL refuses to connect if the root certificate is expired. OpenSSL 1.1.1 skips the expired root certificate and correctly continues looking for additional root certificates that can prove that our repository certificate is valid.

What if the problem happens for you?

In the meantime we replaced the old intermediate certificates for our repository server with newer ones, so the problem should not longer happen for you!

Why the problem happened for you and not for other users?

The problem happened for all servers with an older version of OpenSSL. Specifically an OpenSSL version below 1.1.1. Check the 'OpenSSL Library Version' in the 'PHP Information' screen of your Joomla back-end. As described above, these older libraries refuse to connect if the root certificate is expired, instead of skipping it and correctly continue looking for additional root certificates.

Technical information on the root certificate expiration issue.

SigridSuski

Sigrid lives in a small village near Frankfurt on the Main in Germany.
She studied electrotechnics before she started to work as a software engineer for industrial products using Microsoft C++/MFC.
Since 2009, Sigrid works full time for the Sobi projects.
Her programming experiences started with the programming languages Pascal and C, followed by C++ which is a good basis for developing software for Joomla!, especially since the well known to her object oriented developing techniques found their way into PHP.

Besides her development work for the Sobi project, she is mainly responsible for design solutions, quality management and for all business affairs and public relations. Sigrid is also in charge of the translations and documentations for SobiPro, as well as of the Sigsiu.NET company and demo websites.

Sigrid is member of the German J and Beyond e.V.. She is involved in Joomla! for many years. Just now she is helping in building the Joomla Template Directory. Her former positions include the assistant team leader of the Joomla! Events Team and team leader of the Joomla! Social Media team.

Sigrid enjoys cuisine, bee-keeping and the outdoors in her leisure time, including spending time working in the garden. She also enjoys taking photos, although she doesn't have as much time for photography lately.

Comments powered by Disqus
Powered by SobiPro
to Top