ApisCP dnf mirror ssl cert expired

Hello,
I’m getting the following errors on multiple servers. Looks like there is an issue with the cert. Visiting the https://yum.apiscp.com website it says net::ERR_CERT_AUTHORITY_INVALID. dnf update returns the following:

[MIRROR] apnscp-release-4-7.noarch.rpm: Curl error (35): SSL connect error for https://yum.apiscp.com/updates/8/x86_64/Packages/apnscp-release-4-7.noarch.rpm [error:14094415:SSL routines:ssl3_read_bytes:sslv3 alert certificate expired]
[MIRROR] apnscp-release-4-7.noarch.rpm: Curl error (35): SSL connect error for https://yum.apiscp.com/updates/8/x86_64/Packages/apnscp-release-4-7.noarch.rpm [error:14094415:SSL routines:ssl3_read_bytes:sslv3 alert certificate expired]
[MIRROR] apnscp-release-4-7.noarch.rpm: Curl error (35): SSL connect error for https://yum.apiscp.com/updates/8/x86_64/Packages/apnscp-release-4-7.noarch.rpm [error:14094415:SSL routines:ssl3_read_bytes:sslv3 alert certificate expired]
[MIRROR] apnscp-release-4-7.noarch.rpm: Curl error (35): SSL connect error for https://yum.apiscp.com/updates/8/x86_64/Packages/apnscp-release-4-7.noarch.rpm [error:14094415:SSL routines:ssl3_read_bytes:sslv3 alert certificate expired]
[FAILED] apnscp-release-4-7.noarch.rpm: No more mirrors to try - All mirrors were already tried without success

Please fix this. Thanks.

Intermediate expired, which cannot be reissued. Working on an interim fix to also allow lifetime licenses to renew that would remain valid longer than X1/X2 intermediates. Apache has no means to flag no_check_time without modifying mod_ssl source directly. Disabling certificate validation effectively bypasses the time check but also redacts all certificate metadata, which is how license renewals are negotiated.

It’s complicated to say the least, but working on a resolution.

Only the Yum repository is affected at this time. There’s a bypass in place with license.apiscp.com, which includes FLARE and other auxiliary services. Likewise license issuance is open and distributing new licenses from X2 presently.

1 Like

Thanks for your quick answer.

Do I understand this correctly, that I just need to replace my apiscp license installed and then it’s working again? That would be an easy fix. :slight_smile:

You may replace it or run upcp ; ./bin/scripts/license.php renew -f on edge. Changes have gone up now to automatically perform a certificate replacement for any license signed with X1, which would be any issued prior to October 31.

I’ll let this update run for a day before releasing a hotfix, 3.2.45.2.