[DOCS-14502] Amazon Linux does not trust ISRG Root X1 Created: 25/May/21  Updated: 29/Oct/23  Resolved: 02/Jun/21

Status: Closed
Project: Documentation
Component/s: Atlas
Affects Version/s: None
Fix Version/s: None

Type: Task Priority: Major - P3
Reporter: Jennifer Huang (Inactive) Assignee: Zachary Carr
Resolution: Fixed Votes: 0
Labels: cet-captain
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Participants:
Days since reply: 2 years, 36 weeks ago
Story Points: 3

 Description   

Description

Amazon Linux AMI does not trust the new ISRG Root X1 root CA.

Amazon Linux AMI is EOL which is probably why they are not getting the security updates needed to be compatible with ISRG Root X1. But there are many customers still using it, I've seen a few support cases opened in the last few days on this and there could be more.

Some AWS lambda services are still hosted on Amazon Linux AMI, see https://docs.aws.amazon.com/lambda/latest/dg/lambda-runtimes.html.

Can we add a section in this doc similar to the "Hard-coded Certificate Authority" and the "Java user" section to warn people that if they are on Amazon Linux AMI they should migrate before September to Amazon Linux 2 which supports ISRG Root X1.

Some context:
https://community.letsencrypt.org/t/confirm-whether-amazon-linux-trust-isrg-root-x1/152464

Scope of changes

Impact to Other Docs

MVP (Work and Date)

Resources (Scope or Design Docs, Invision, etc.)



 Comments   
Comment by Zachary Carr [ 02/Jun/21 ]

Thanks Jennifer!

Merged to master.

Comment by Jennifer Huang (Inactive) [ 02/Jun/21 ]

Thanks zach.carr that looks good

Comment by Zachary Carr [ 02/Jun/21 ]

Thanks for reviewing jennifer.huang - updated with the date, using your wording. Here's the staged page if you want to take another look.

Comment by Jennifer Huang (Inactive) [ 02/Jun/21 ]

Thanks zach.carr for looking into this, I agree not to specify the steps to installing cert manually.

One thing about the September 2021 deadline for cert switch, I don't see other mention of the deadline on the page hence, maybe we need to give a little more info about it?

If you are using Amazon Linux AMI, you should migrate to Amazon Linux 2 before September 2021 to support ISRG Root X1 certificates and avoid certificate compatibility issues.

If you are using Amazon Linux AMI, you should migrate to Amazon Linux 2 before September 30 2021, when the support of ISRG Root X1 certificates become mandatory for Atlas to avoid certificate compatibility issues.

Comment by Zachary Carr [ 01/Jun/21 ]

Hi jennifer.huang, thanks for the detailed ticket. I added an FAQ item in this PR: https://github.com/10gen/cloud-docs/pull/2364, would you mind taking a look to confirm it's accurate? I left out your manual install steps, both to encourage customers to migrate and to avoid maintaining a procedure. Let me know if you think we need the steps. Thanks!

If it's easier to review on this ticket, here's the staged view.

Comment by Jennifer Huang (Inactive) [ 27/May/21 ]

I can manually install ISRG root CA on Amazon Linux with the following steps:

  • Install the ca-certificates package:

    yum install ca-certificates.
    

  • Enable the dynamic CA configuration feature:

    update-ca-trust force-enable.
    

  • get the ISRG cert
  • Add it as a new file to /etc/pki/ca-trust/source/anchors/:

    cp isrgrootx1.pem /etc/pki/ca-trust/source/anchors/
    

  • add it to the server root CA

    update-ca-trust extract
    

For people really don't want to migrate to Amazon Linux 2 before end of September they'll have to manually install the certificate. Not sure what level of details we need to include in the doc about install the CA, more testing needed if we need to include commands.

Comment by Phil Jordan [ 26/May/21 ]

FYI chris.shum

Generated at Thu Feb 08 08:10:31 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.