7 comments

[ 3.1 ms ] story [ 30.6 ms ] thread
So we've done some testing, and it looks like this certificate needs to be removed from the root ca bundles of Ubuntu 16.04 and earlier, as well as Debian 9 and earlier, even if these hosts are otherwise up do date (including the root certificate bundle). We've gone head and rolled out a fix, but I guess consider this a heads up.

I mean, Debian 9 isn't that old.

Its relatively easy to test -- create a host using an older, affected distribution, set the time forward to, say, 6/1/2020, and run 'curl https://crt.sh/' . You should get a ceritifcate expired error

Why does it need to be removed? Shouldn't it just cleanly expire and be ignored?
Yes -- but on older linux distributions curl, etc continue to try to use it
Interesting, I would've expected them to ignore an expired cert in the chain if there is also a still valid one.
(comment deleted)
I have this issue on my browser using my older Mac Book Air. How do I fix this in laymen's terms?