Recovering from sync failure, expired certificate

Replacing let's encrypt expired root certificate

Sections in this article

Let’s Encrypt root certificate expired on September 30, 2021

Let’s Encrypt is a nonprofit certificate authority that provides TLS certificates powering much of the secure web. WingTask taskserver uses Let’s Encrypt for the TLS certificates, on September 30, 2021 the DST Root CA X3 certificate for Let’s Encrypt expired. This impacts WingTask users who try to sync with the expired CA root which was given to all users prior to October 13th, 2021 as part of the wingtask certificates and is file ‘dst.pem’.

Requisite conditions

.taskrc config is configured to use the expired root cert (dst.pem):

taskd.ca=~/.wingtask_certs\/dst.pem

Verifying that a task sync failure is due to an expired Let’s Encrypt root certificate

This issue will affect WingTask users who signed up before October 1st, 2021 and not users after October 1st, 2021. The issue is first noticed when attempting to sync.

Task sync failed screenshot from console

Running task sync with diagnostic arguments can provide a more specific reason for the sync failure.

$ task rc.debug=1 rc.debug.tls=2 sync
Task sync with diagnostic flags screenshot from console

Solution: Replace expired DST root certficate with current ISRG Root X1

  1. Download new root certificate ISRG Root X1 More info on ISRG ROOT X1
  2. Move isrg_root_x1.pem to your wingtask_certs dir located at ~/.wingtask_certs
  3. Configure taskd to use isrg_root_x1.pem as the new taskd.ca setting
  4. 
    $ task config taskd.ca "~/.wingtask_certs/isrg_root_x1.pem"
    Config file /home/timcase/.taskrc modified.
    
    
  5. Sync should now be working
  6. 
    $ task sync