From 659599f76158d9562a442815ccc2c96067b43a91 Mon Sep 17 00:00:00 2001
From: Dave Eargle <dave.eargle@carvesystems.com>
Date: Thu, 13 Jul 2023 17:50:46 -0600
Subject: [PATCH 1/2] remove expired DST root CA
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

see https://www.openssl.org/blog/blog/2021/09/13/LetsEncryptRootCertExpire/:

> The currently recommended certificate chain as presented to Let’s Encrypt ACME clients when new certificates are issued contains an intermediate certificate (ISRG Root X1) that is signed by an old DST Root CA X3 certificate that expires on 2021-09-30. In some cases the OpenSSL 1.0.2 version will regard the certificates issued by the Let’s Encrypt CA as having an expired trust chain.

(The Ubuntu VM is on OpenSSL 1.0.1f)

closes #590
---
 .../cookbooks/metasploitable/recipes/system_config.rb | 11 +++++++++++
 chef/dev/ub1404/Vagrantfile                           |  1 +
 packer/templates/ubuntu_1404.json                     |  2 ++
 3 files changed, 14 insertions(+)
 create mode 100644 chef/cookbooks/metasploitable/recipes/system_config.rb

diff --git a/chef/cookbooks/metasploitable/recipes/system_config.rb b/chef/cookbooks/metasploitable/recipes/system_config.rb
new file mode 100644
index 00000000..94f0f873
--- /dev/null
+++ b/chef/cookbooks/metasploitable/recipes/system_config.rb
@@ -0,0 +1,11 @@
+# See https://www.openssl.org/blog/blog/2021/09/13/LetsEncryptRootCertExpire/ and https://github.com/chef/chef/issues/12126
+
+bash 'disable expired DST Root CA X3 certificate' do
+    code <<-EOS 
+        sed -i 's:^mozilla/DST_Root_CA_X3.crt:!mozilla/DST_Root_CA_X3.crt:' /etc/ca-certificates.conf
+        update-ca-certificates
+    EOS
+    not_if "grep -q '^!mozilla/DST_Root_CA_X3.crt' /etc/ca-certificates.conf"
+end
+
+ENV['SSL_CERT_FILE'] = '/etc/ssl/certs/ca-certificates.crt'
diff --git a/chef/dev/ub1404/Vagrantfile b/chef/dev/ub1404/Vagrantfile
index ed1859d2..02be4239 100644
--- a/chef/dev/ub1404/Vagrantfile
+++ b/chef/dev/ub1404/Vagrantfile
@@ -24,6 +24,7 @@ Vagrant.configure("2") do |config|
 
     chef.add_recipe "apt::default"
     chef.add_recipe "iptables::default"
+    chef.add_recipe "metasploitable:system_config"
     chef.add_recipe "metasploitable::users"
     chef.add_recipe "metasploitable::mysql"
     chef.add_recipe "metasploitable::apache_continuum"
diff --git a/packer/templates/ubuntu_1404.json b/packer/templates/ubuntu_1404.json
index b6c995be..f99a0919 100644
--- a/packer/templates/ubuntu_1404.json
+++ b/packer/templates/ubuntu_1404.json
@@ -158,6 +158,8 @@
       ],
       "run_list": [
         "apt::default",
+        "iptables::default",
+        "metasploitable::system_config",
         "metasploitable::users",
         "metasploitable::mysql",
         "metasploitable::apache_continuum",

From b0399f836076782fbfda5e652d01efda9b3114b4 Mon Sep 17 00:00:00 2001
From: Dave Eargle <dave.eargle@carvesystems.com>
Date: Thu, 13 Jul 2023 17:55:58 -0600
Subject: [PATCH 2/2] actually it isn't necessary to add the iptables recipe

---
 packer/templates/ubuntu_1404.json | 1 -
 1 file changed, 1 deletion(-)

diff --git a/packer/templates/ubuntu_1404.json b/packer/templates/ubuntu_1404.json
index f99a0919..8322e525 100644
--- a/packer/templates/ubuntu_1404.json
+++ b/packer/templates/ubuntu_1404.json
@@ -158,7 +158,6 @@
       ],
       "run_list": [
         "apt::default",
-        "iptables::default",
         "metasploitable::system_config",
         "metasploitable::users",
         "metasploitable::mysql",