Letsencrypt ssl on centos6

ViAdCk

Verified User
Joined
Feb 14, 2005
Messages
287
Hi,

We have some clients who are running centos6 and since the letsencrypt root expiration are having the following issues:

1) Whenever wget or curl is used in a cron it gives the following error:

ERROR: cannot verify www.domain.com's certificate, issued by
`/C=US/O=Let\'s Encrypt/CN=R3':
Issued certificate has expired.

2) It's not possible to issue new letsencrypt certificates, generating the following error:

Could not create client: get directory at 'https://acme-v02.api.letsencrypt.org/directory': Get "https://acme-v02.api.letsencrypt.org/directory":" x509: certificate signed by unknown authority. Certificate generation failed.

On centos7 this is easily fixed updating the ca-certificates but this isn't working for centos6.

Does anyone have any solutions for centos6?

Kind regards
 

Zhenyapan

Verified User
Joined
Feb 23, 2018
Messages
855
Location
UA
When I tried to find it - just found than someons recompiles openssl with manualy patching. For my clients it was last drop to move to fresh OS because nobody wants to play with custom compilations on OS without working repo. You can try to apply patches/packets from redhat 6 - they released fixes for this old os.
 

Active8

Verified User
Joined
Jul 13, 2013
Messages
736
There is an possibility if you willing to pay for updates offered by CloudLinux (ELS)
We have an Centos 6 box with this subscription, everything is fully patched and have no problems with generating LE certificates
 

ViAdCk

Verified User
Joined
Feb 14, 2005
Messages
287
There is an possibility if you willing to pay for updates offered by CloudLinux (ELS)
We have an Centos 6 box with this subscription, everything is fully patched and have no problems with generating LE certificates
These are openvz vps servers, I don't think this is an option.
 

IXPLANET

Verified User
Joined
Jul 7, 2019
Messages
58
You can upgraded openssl to 1.0.2k first , download & patch openssl 1.0.2k el7 , create rpm and patch it based from centos 7 to el6 and do it same for ca-certificate rpm based from el7 , so it will compatible for centos 6 , i was successfully do it few weeks ago.
Openssl & ca-certificate from el7 convert and patch to el6 and install in centos 6 , wget curl and ssl certificate expire issue will be fixed
 

ViAdCk

Verified User
Joined
Feb 14, 2005
Messages
287
You can upgraded openssl to 1.0.2k first , download & patch openssl 1.0.2k el7 , create rpm and patch it based from centos 7 to el6 and do it same for ca-certificate rpm based from el7 , so it will compatible for centos 6 , i was successfully do it few weeks ago.
Openssl & ca-certificate from el7 convert and patch to el6 and install in centos 6 , wget curl and ssl certificate expire issue will be fixed
Thanks but sounds easier said than done. If you know a tutorial for this it would be appreciated!
 
Top