
Sectigo AddTrust External CA Root Expiring May 30, 2020 - hayzeus
https://support.sectigo.com/articles/Knowledge/Sectigo-AddTrust-External-CA-Root-Expiring-May-30-2020
======
hayzeus
So we've done some testing, and it looks like this certificate needs to be
removed from the root ca bundles of Ubuntu 16.04 and earlier, as well as
Debian 9 and earlier, even if these hosts are otherwise up do date (including
the root certificate bundle). We've gone head and rolled out a fix, but I
guess consider this a heads up.

I mean, Debian 9 isn't that old.

Its relatively easy to test -- create a host using an older, affected
distribution, set the time forward to, say, 6/1/2020, and run 'curl
[https://crt.sh/'](https://crt.sh/') . You should get a ceritifcate expired
error

~~~
detaro
Why does it need to be removed? Shouldn't it just cleanly expire and be
ignored?

~~~
hayzeus
Yes -- but on older linux distributions curl, etc continue to try to use it

~~~
detaro
Interesting, I would've expected them to ignore an expired cert in the chain
if there is also a still valid one.

------
andriyk
I have this issue on my browser using my older Mac Book Air. How do I fix this
in laymen's terms?

------
trelliscoded
I o

