After deploying the new HAK5 C2 Cloud instance on AWS LightSail (tutorial here), I found that my HAK5 KeyCrocs wouldn’t connect if I had https enabled on my C2 instance. I didn’t feel comfortable not using https, even though I have it locked down to IP addresses because even sensitive customer data would still be sent in plaintext.
After banging my head against this for a while I took to the HAK5 forums and the ever helpful dark_pyrro came to the rescue, confirming that this was most likely down to Let’s Encrypt expiring their root certificates, correctly guessing I’d used Let’s Encrypt to generate my SSL certificates.
Dark_pyrro then went on to provide me with the steps to diagnose/check and then resolve the issue, which I’ve replicated below to hopefully be easy for others to find.
Note that this fix only applies to situations where you are using Let’s Encrypt for your Cloud C2 SSL certificate, if you have a purchased or self-signed one, this is unlikely to help.
Check that this is indeed the issue by connecting to the KeyCrocs via SSH and running the following command:
curl -I https://your.c2-domain.com/
Both should indicate that the certificate has expired (the root certificate that is)
Verify if the expired “DST Root CA X3” certificate is on they KeyCrocs, it should be there if you got expired certificate issues from the command above:
grep X3 /etc/ca-certificates.conf
The output will include “mozilla/DST_Root_CA_X3.crt” if the KeyCrocshas the certificate installed.
Take a copy of the ca-certificates.conf file (just in case), appending it with “old1”:
cp /etc/ca-certificates.conf /etc/ca-certificates.conf.old1
Remove the X3 root certificate:
sed -i '/^mozilla\/DST_Root_CA_X3/s/^/!/' /etc/ca-certificates.conf
Update the certificates on the device:
update-ca-certificates -f
Use the DIFF command to compare the new and old configuration file, this should show “DST Root CA X3” as the difference now its been removed.
diff /etc/ca-certificates.conf /etc/ca-certificates.conf.old1
If you run the first command again, this should successfully retrieve the page with no problems now the SSL root certificate issue has been resolved.
curl -I https://your.c2-domain.com/