AddTrust or UserTrust root CA causes connectivity issues

Updated 2 years ago by admin

The AddTrust root certificate expired on 30th May 2020 and any USS Gateway device that hasn't been updated will fail to verify the domain due to the TLS certificate referencing AddTrust in its chain. Although this should not have impacted any modern OS, some Ubuntu 16.04 certificate stores have not been updated and this can lead to TLS/SSL verification errors when accessing various web sites.

The steps to resolve this issue are as follows:

  1. Log in to the USS Gateway device as a root user (see Accessing the Command Line)
  2. Run: nano /etc/ca-certificates.conf and use the arrow keys to find the line containing "AddTrust_External_Root.crt" or "AddTrustExternalRoot.crt"
  3. Delete the whole line
  4. Save the file by holding down Ctrl and pressing the letter O and then and exit by holding down Ctrl and pressing the letter X
  5. Remove the old AddTrust_External_Root.crt certificate file by running the following commands. One command may fail, this is expected as it will be in one of the two locations depending on your system.
rm /usr/local/share/ca-certificates/AddTrustExternalRoot.crt
rm /usr/share/ca-certificates/mozilla/AddTrust_External_Root.crt
  1. Run: update-ca-certificates --fresh
  2. Run: /etc/init.d/uss-squid stop
  3. Wait 10 seconds
  4. Run: /etc/init.d/uss-squid start

How did we do?