[DOCS-14502] Amazon Linux does not trust ISRG Root X1 Created: 25/May/21 Updated: 29/Oct/23 Resolved: 02/Jun/21 |
|
| Status: | Closed |
| Project: | Documentation |
| Component/s: | Atlas |
| Affects Version/s: | None |
| Fix Version/s: | None |
| Type: | Task | Priority: | Major - P3 |
| Reporter: | Jennifer Huang (Inactive) | Assignee: | Zachary Carr |
| Resolution: | Fixed | Votes: | 0 |
| Labels: | cet-captain | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Participants: | |
| Days since reply: | 2 years, 36 weeks ago |
| Story Points: | 3 |
| Description |
DescriptionAmazon Linux AMI does not trust the new ISRG Root X1 root CA. Amazon Linux AMI is EOL which is probably why they are not getting the security updates needed to be compatible with ISRG Root X1. But there are many customers still using it, I've seen a few support cases opened in the last few days on this and there could be more. Some AWS lambda services are still hosted on Amazon Linux AMI, see https://docs.aws.amazon.com/lambda/latest/dg/lambda-runtimes.html. Can we add a section in this doc similar to the "Hard-coded Certificate Authority" and the "Java user" section to warn people that if they are on Amazon Linux AMI they should migrate before September to Amazon Linux 2 which supports ISRG Root X1. Some context: Scope of changesImpact to Other DocsMVP (Work and Date)Resources (Scope or Design Docs, Invision, etc.) |
| Comments |
| Comment by Zachary Carr [ 02/Jun/21 ] | ||||
|
Thanks Jennifer! – Merged to master. | ||||
| Comment by Jennifer Huang (Inactive) [ 02/Jun/21 ] | ||||
|
Thanks zach.carr that looks good | ||||
| Comment by Zachary Carr [ 02/Jun/21 ] | ||||
|
Thanks for reviewing jennifer.huang - updated with the date, using your wording. Here's the staged page if you want to take another look. | ||||
| Comment by Jennifer Huang (Inactive) [ 02/Jun/21 ] | ||||
|
Thanks zach.carr for looking into this, I agree not to specify the steps to installing cert manually. One thing about the September 2021 deadline for cert switch, I don't see other mention of the deadline on the page hence, maybe we need to give a little more info about it?
If you are using Amazon Linux AMI, you should migrate to Amazon Linux 2 before September 30 2021, when the support of ISRG Root X1 certificates become mandatory for Atlas to avoid certificate compatibility issues. | ||||
| Comment by Zachary Carr [ 01/Jun/21 ] | ||||
|
Hi jennifer.huang, thanks for the detailed ticket. I added an FAQ item in this PR: https://github.com/10gen/cloud-docs/pull/2364, would you mind taking a look to confirm it's accurate? I left out your manual install steps, both to encourage customers to migrate and to avoid maintaining a procedure. Let me know if you think we need the steps. Thanks! If it's easier to review on this ticket, here's the staged view. | ||||
| Comment by Jennifer Huang (Inactive) [ 27/May/21 ] | ||||
|
I can manually install ISRG root CA on Amazon Linux with the following steps:
For people really don't want to migrate to Amazon Linux 2 before end of September they'll have to manually install the certificate. Not sure what level of details we need to include in the doc about install the CA, more testing needed if we need to include commands. | ||||
| Comment by Phil Jordan [ 26/May/21 ] | ||||
|
FYI chris.shum |