LetsEncryptFix

September 30, 2021 As planned, the DST Root CA X3 cross-sign has expired, and we’re now using our own ISRG Root X1 for trust on almost all devices. We have also updated our Production Chain Changes thread on our community forum – our team and community are here and ready to help with any questions you may have about this expiration.

About this download / bugfix

As you can read in the quote above the old DST Root CA X3 used by LetsEncrypt has expired on September 30, 2021. However, most of the certificates “in the wild” still contain a route to the outdated certificate to support older Android devices where the list of certificates is no longer getting updated (details).

Unfortunately the ReadyNAS is also still using the outdated certificates, mainly because the ca-certificates package in the base OS wasn’t updated for ages. This means that all tools that rely on certificate validation for SSL connections are likely to fail when encountering a LetsEncrypt certificate on the opposite side of the connection. Affected tools are:

  • curl
  • wget
  • php (and everything built on it like Nextcloud)
  • … and everything else that uses the ca-certificates package for SSL validation.

This add-on fixes the problem by installing an updated version of the ca-certificates package (backported from the latest Debian release “bullseye”) and updated curl- and openssl- libraries built with support for the new certificate chains.

Note: To install, just add to your ReadyNAS as you would with a normal add-on (e.g. upload in the “Addons” tab). However, after installation the add-on will not show up in the list of installed add-ons so to not clutter the interface.

While the add-on is made available free of charge I appreciate donations if you found this helpful:

Specs
Release date:November 2, 2021
Last updated:November 2, 2021
Current version:22.11.02
Product type:ReadyNAS OS 6 Add-On (R6all)
File format:.deb
File size:3kB
Requirements:ReadyNAS OS 6.x (x86 or ARM) [6.10.0+]
Show Change Log