Y2K in 2021 - LetsEncrypt failures on groovEPIC

Hello Opto22 team,

We have a fairly recent O/S on our EPIC (3.1.0-b.14 - 1/18/2021) and the openssh library installed on that O/S is OpenSSL 1.0.2d 9 Jul 2015 - long before LetsEncrypt root authority was listed as a trusted root CA.

This is causing the EPIC to fail cert validation on all outbound TLS traffic to remote servers with certs issued by LetsEncrypt. Lots of information about this in the news because the root CA for LetsEncrypt certs expired on Oct.1 2021, and new LetsEncrypt certs aren’t trusted by the OpenSSL library from 2015.

Compare that with a RIO (older O/S 3.0.0-b.34 - 11/25/2020) which includes the OpenSSL library 1.0.2r 26 Feb 2019, and has no problem validating TLS traffic to servers with certs issued by LetsEncrypt.

Attempting to upgrade the OpenSSL library on the Epic using ‘apt-get update openssl’ shows this 2015 version as the latest.

What do you recommend we do? Do more recent EPIC O/S versions have newer versions of openssl?

I’m calling this a Y2k problem, because on Oct.1 our EPIC stopped working for all secure traffic to servers with certs issued by LetsEncrypt (and there are lots of those out there)

Thank you,
-Loren

Thanks @loren1
Taking a look.

Turns out that the core issue is simply the age of the certificate in the root store, not the version of openSSL in the repo.
Different versions of EPIC and RIO firmware had different certificate ages in their root store. Sorry for not keeping on top of it better.

The work-around is to download the ISRG Root X1 certificate from this link and then upload it into the GRV-EPIC certificate trust store using groov Manage / Security / Client SSL

That will overwrite the old certificate with the new certificate.

Opto is going to put in place the necessary engineering process to ensure that at least every year (Y2k +1) we update the certificate store so it is as current as possible.

One last note. If the server is using the old certificate chain, the connection will continue to fail even after the work-around or a firmware update with an updated trust store.

Thank you for your prompt response, and for keeping up with certs in future versions.

This solution resolved the issue we were having.

Cheers,
-Loren

1 Like