We’re experiencing a blocking issue with at least one letsencrypt cert because its root cert seems to have expired as of today in docker images published by circleci and an apt-get update does not help.
My first suggestion is to switch to the next-gen CircleCI Node.js image. So instead of circleci/node:14.17.6-stretch you would use cimg/node:14.17.6. You’re using a legacy image which will be deprecated in a couple months.
If you must stick with the legacy image, I’d try swapping out “stretch” for something newer such as “buster” and see if that helps. It’s a newer Debian base and so may have a newer SSL/TLS package that contains the new Let’s Encrypt root cert.
just FYI @FelicianoTech, this issue is happening on the default VM image. I was able to fix it by editing /etc/ca-certificates.conf and removing DST_Root_CA_X3.pem. I then tried running update-ca-certificates but that didn’t remove the certs. I had to run dpkg-reconfigure ca-certificates and then choosing ‘yes’ and then ‘ok’. Hopefully this gets resolved quickly as it breaks curl interacting with Lets Encrypt endpoints
@FelicianoTech any updates on this? This is also breaking go modules within our pipeline due to gopkg.in using lets encrypt. See this reddit thread for more information.
Any help you can provide would be greatly appreciated!
I tried all suggested solutions on CircleCI macOS executors.
However none of them worked, SSL errors all over the place still.
So looked up where the CAs are loaded from effectively:
Then added a command step to CircleCI config that downloads from curl_se and replaces the pem @ system /usr/local/etc/openssl/cert.pem .
Now it works as expected again and I can connect to my domains who use Let’s encrypt.
@bytesguy
Meanwhile, we are looking at how we can fix this without end-user intervention.
Maybe providing a proper/fixed file at /usr/local/etc/openssl/cert.pem by default is what you looking for?
Hope it is helpful to somebody.
BTW: I tried all kinds of available CircleCI MacOS versions (circleci config xcode: tag) and none resolved the issue. (As the suggestion was to “use Xcode 12.5”)